Guide to Online Anonymity (by https://anonymousplanet.org/)

Use at your own risk. Please do not take this guide as a definitive truth for everything because it is not.
​

Spoiler: Table of Contents

• Introduction:
• Understanding some basics of how some information can lead back to you and how to mitigate some:
  • Your Network:
    • Your IP address:
    • Your DNS and IP requests:
    • Your RFID enabled devices:
    • The Wi-Fis and Bluetooth devices around you:
    • Malicious/Rogue Wi-Fi Access Points:
    • Your Anonymized Tor/VPN traffic:
    • Some Devices can be tracked even when offline:
  • Your Hardware Identifiers:
    • Your IMEI and IMSI (and by extension, your phone number):
    • Your Wi-Fi or Ethernet MAC address:
    • Your Bluetooth MAC address:
  • Your CPU:
  • Your Operating Systems and Apps telemetry services:
  • Your Smart devices in general:
  • Yourself:
    • Your Metadata including your Geo-Location:
    • Your Digital Fingerprint, Footprint, and Online Behavior:
    • Your Clues about your Real Life and OSINT:
    • Your Face, Voice, Biometrics and Pictures:
    • Phishing and Social Engineering:
  • Malware, exploits, and viruses:
    • Malware in your files/documents/e-mails:
    • Malware and Exploits in your apps and services:
    • Malicious USB devices:
    • Malware and backdoors in your Hardware Firmware and Operating System:
  • Your files, documents, pictures, and videos:
    • Properties and Metadata:
    • Watermarking:
    • Pixelized or Blurred Information:
  • Your Crypto currencies transactions:
  • Your Cloud backups/sync services:
  • Your Browser and Device Fingerprints:
  • Local Data Leaks and Forensics:
  • Bad Cryptography:
  • No logging but logging anyway policies:
  • Some Advanced targeted techniques:
  • Some bonus resources:
  • Notes:
• General Preparations:
  • Picking your route:
    • Timing limitations:
    • Budget/Material limitations:
    • Skills:
    • Adversaries (threats):
  • Steps for all routes:
    • Get an anonymous Phone number:
    • Get a USB key:
    • Find some safe places with decent public Wi-Fi:
  • The TAILS route:
    • Persistent Plausible Deniability using Whonix within TAILS:
  • Steps for all other routes:
    • Get a dedicated laptop for your sensitive activities:
    • Some laptop recommendations:
    • Bios/UEFI/Firmware Settings of your laptop:
    • Physically Tamper protect your laptop:
  • The Whonix route:
    • Picking your Host OS (the OS installed on your laptop):
    • Linux Host OS:
    • MacOS Host OS:
    • Windows Host OS:
    • Virtualbox on your Host OS:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Whonix:
    • Tor over VPN:
    • Whonix Virtual Machines:
    • Pick your guest workstation Virtual Machine:
    • Linux Virtual Machine (Whonix or Linux):
    • Windows 10 Virtual Machine:
    • Android Virtual Machine:
    • MacOS Virtual Machine:
    • KeepassXC:
    • VPN client installation (cash/Monero paid):
    • (Optional) allowing only the VMs to access the internet while cutting off the Host OS to prevent any leak:
    • Final step:
  • The Qubes Route:
    • Pick your connectivity method:
    • Get an anonymous VPN/Proxy:
    • Installation:
    • Lid Closure Behavior:
    • Connect to a Public Wi-Fi:
    • Update Qubes OS:
    • Hardening Qubes OS:
    • Setup the VPN ProxyVM:
    • Setup a safe Browser within Qube OS (optional but recommended):
    • Setup an Android VM:
    • KeePassXC:
• Creating your anonymous online identities:
  • Understanding the methods used to prevent anonymity and verify identity:
    • Captchas:
    • Phone verification:
    • E-Mail verification:
    • User details checking:
    • Proof of ID verification:
    • IP Filters:
    • Browser and Device Fingerprinting:
    • Human interaction:
    • User Moderation:
    • Behavioral Analysis:
    • Financial transactions:
    • Sign-in with some platform:
    • Live Face recognition and biometrics (again):
    • Manual reviews:
  • Getting Online:
    • Creating new identities:
    • The Real-Name System:
    • About paid services:
    • Overview:
    • How to share files or chat anonymously:
    • Redacting Documents/Pictures/Videos/Audio safely:
    • Communicating sensitive information to various known organizations:
    • Maintenance tasks:
• Backing-up your work securely:
  • Offline Backups:
    • Selected Files Backups:
    • Full Disk/System Backups:
  • Online Backups:
    • Files:
    • Information:
  • Synchronizing your files between devices Online:
• Covering your tracks:
  • Understanding HDD vs SSD:
    • Wear-Leveling.
    • Trim Operations:
    • Garbage Collection:
    • Conclusion:
  • How to securely wipe your whole Laptop/Drives if you want to erase everything:
    • Linux (all versions including Qubes OS):
    • Windows:
    • MacOS:
  • How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives:
    • Windows:
    • Linux (non Qubes OS):
    • Linux (Qubes OS):
    • MacOS:
  • Some additional measures against forensics:
    • Removing Metadata from Files/Documents/Pictures:
    • TAILS:
    • Whonix:
    • MacOS:
    • Linux (Qubes OS):
    • Linux (non-Qubes):
    • Windows:
  • Removing some traces of your identities on search engines and various platforms:
    • Google:
    • Bing:
    • DuckDuckGo:
    • Yandex:
    • Qwant:
    • Yahoo Search:
    • Baidu:
    • Wikipedia:
    • Archive.today:
    • Internet Archive:
• Some low-tech old-school tricks:
  • Hidden communications in plain sight:
  • How to spot if someone has been searching your stuff:
• Some last OPSEC thoughts:
• If you think you got burned:
  • If you have some time:
  • If you have no time:
• A small final editorial note

 

[HEISENBERG]

Budget/Material limitations:​

• You only have one laptop available and cannot afford anything else. You use this laptop for either work, family, or your personal stuff (or both):
  
  • Your best option is to go for the Tails route.
• You can afford a spare dedicated unsupervised/unmonitored laptop for your sensitive activities:
  
  • But it is old, slow and has bad specs (less than 6GB of RAM, less than 250GB disk space, old/slow CPU):
    
    • You should go for the Tails route.
  • It is not that old and it has decent specs (at least 6GB of RAM, 250GB of disk space or more, decent CPU):
    
    • You could go for Tails, Whonix routes.
  • It is new and it has great specs (more than 8GB of RAM, >250GB of disk space, recent fast CPU):
    
    • You could go for any route but I would recommend Qubes OS if your threat model allows it.
  • If it is an ARM based M1 Mac:
    
    • Not possible currently for these reasons:
      
      • Virtualization of x86 images on ARM M1 Macs is still limited to commercial software (Parallels) which is not supported by Whonix yet.
      • Virtualbox is not available for ARM architecture yet.
      • Whonix is not supported on ARM architecture yet.
      • Tails is not supported on ARM architecture yet.
      • Qubes OS is not supported on ARM architecture yet.

Your only option on M1 Macs is probably to stick with Tor Browses for now. But I would guess that if you can afford an M1 Mac you should probably get a dedicated x86 laptop for more sensitive activities.

 

[HEISENBERG]

Skills:​

• You have no IT skills at all the content of this guide looks like an alien language to you?
  
  • You should go with the Tails route (excluding the persistent plausible deniability section).
• You have some IT skills and mostly understand this guide so far
  
  • You should go with Tails (including the persistent plausible deniability section) or Whonix routes.
• You have moderate to high IT skills and you are already familiar with some of the content of this guide
  
  • You could go with anything you like but I would strongly recommend Qubes OS.
• You are a l33T hacker, “there is no spoon”, “the cake is a lie”, you have been using “doas” for years and “all your base are belong to us”, and you have strong opinions on systemd.
  
  • This guide is not really meant for you and will not help you with your HardenedBSD on your hardened Libreboot laptop ;-)

​

 

[HEISENBERG]

Adversaries (threats):​

• If your main concern is forensic examination of your devices:
  
  • You should go with the Tails route (with optional persistent plausible deniability).
• If your main concerns are remote adversaries that might uncover your online identity in various platforms:
  
  • You could go with the Whonix or Qubes OS routes.
  • You could also go with Tails (with optional persistent plausible deniability).
• If you absolutely want system wide plausible deniability despite the risks:
  
  • You could go with the Tails Route including the persistent plausible deniability section.
  • You could go with the Whonix Route (on Windows Host OS only within the scope of this guide).
• If you are in a hostile environment where Tor/VPN usage alone is impossible/dangerous/suspicious:
  
  • You could go with the Tails route (without using Tor).
  • You could go with the Whonix or Qubes OS route (without actually using Whonix).

In all cases, you should read these two pages from the Whonix documentation that will give you in depth insight about your choices:

• https://www.whonix.org/wiki/Warning [Archive.org]
• https://www.whonix.org/wiki/Dev/Threat_Model [Archive.org]
• https://www.whonix.org/wiki/Comparison_with_Others [Archive.org]

You might be asking yourself: “How do I know if I’m in a hostile online environment where activities are actively monitored and blocked?”

• First read more about it at the EFF here: https://ssd.eff.org/en/module/understanding-and-circumventing-network-censorship [Archive.org]
• Check some data yourself here on the Tor Project OONI (Open Observatory of Network Interference) website: https://explorer.ooni.org/ [Archive.org]
• Have a look at https://censoredplanet.org/ [Archive.org] and see if they have data about your country.
• Test for yourself using OONI (this can be risky in a hostile environment).

 

[HEISENBERG]

Steps for all routes:​

Get used to use better passwords:​

See Appendix A2: Guidelines for passwords and passphrases.

Get an anonymous Phone number:​

Skip this step if you have no intention of creating anonymous accounts on most mainstream platforms but just want anonymous browsing or if the platforms you will use allow registration without a phone number.

Physical Burner Phone and prepaid SIM card:​

Get a burner phone:​

This is rather easy. Leave your smartphone off or power it off before leaving. Have some cash and go to some random flea market or small shop (ideally one without CCTV inside or outside and while avoiding being photographed/filmed) and just buy the cheapest phone you can find with cash and without providing any personal information. It only needs to be in working order.


Personally, I would recommend getting an old “dumbphone” with a removable battery (old Nokia if your mobile networks still allow those to connect as some countries phased out 1G-2G completely). This is to avoid the automatic sending/gathering of any telemetry/diagnostic data on the phone itself. You should never connect that phone to any Wi-Fi.


It will also be crucial not to power on that burner phone ever (not even without the SIM card) in any geographical location that could lead to you (at your home/work for instance) and never ever at the same location as your other known smartphone (because that one has an IMEI/IMSI that will easily lead to you). This might seem like a big burden but it is not as these phones are only being used during the setup/sign-up process and for verification from time to time.


See Appendix N: Warning about smartphones and smart devices


You should test that the phone is in working order before going to the next step. But I will repeat myself and state again that it is important to leave your smartphone at home when going (or turn it off before leaving if you must keep it) and that you test the phone at a random location that cannot be tracked back to you (and again, do not do that in front of a CCTV, avoid cameras, be aware of your surroundings). No need for Wi-Fi at this place either.


When you are certain the phone is in working order, disable Bluetooth then power it off (remove the battery if you can) and go back home and resume your normal activities. Go to the next step.

Get an anonymous pre-paid SIM card:​

This is the hardest part of the whole guide. It is a SPOF (Single Point of Failure). The places where you can still buy prepaid SIM cards without ID registration are getting increasingly limited due to various KYC type regulations.


So here is a list of places where you can still get them now: https://prepaid-data-sim-card.fandom.com/wiki/Registration_Policies_Per_Country [Archive.org]


You should be able to find a place that is “not too far” and just go there physically to buy some pre-paid cards and top-up vouchers with cash. Do verify that no law was passed before going that would make registration mandatory (in case the above wiki was not updated). Try to avoid CCTV and cameras and do not forget to buy a Top Up voucher with the SIM card (if it is not a package) as most pre-paid cards will require a top-up before use.


See Appendix N: Warning about smartphones and smart devices


Double-check that the mobile operators selling the pre-paid SIM cards will accept the SIM activation and top-up without any ID registration of any kind before going there. Ideally, they should accept SIM activation and top-up from the country you reside in.


Personally, I would recommend GiffGaff in the UK as they are “affordable”, do not require identification for activation and top-up and will even allow you to change your number up to 2 times from their website. One GiffGaff prepaid SIM card will therefore grant you 3 numbers to use for your needs.


Power off the phone after activation/top-up and before going home. Do not ever power it on again unless you are not at a place that can be used to reveal your identity and unless your smartphone is powered off before going to that “not your home” place.

Online Phone Number (less recommended):​

DISCLAIMER: Do not attempt this until you are done setting up a secure environment according to one of the selected routes. This step will require online access and should only be done from an anonymous network. Do not do this from any known/unsecure environment. Skip this until you have finished one of the routes.


There are many commercial services offering numbers to receive SMS messages online but most of those have basically no anonymity/privacy and can be of no help as most Social Media platforms place a limit on how many times a phone number can be used for registration.


There are some forums and subreddits (like r/phoneverification/) where users will offer the service of receiving such SMS messages for you for a small fee (using PayPal or some crypto payment). Unfortunately, these are full of scammer and very risky in terms of anonymity. You should not use those under any circumstance.


To this date, I do not know any reputable service that would offer this service and accept cash payments (by post for instance) like some VPN providers. But there are a few services providing online phone numbers and do accept Monero which could be reasonably anonymous (yet less recommended than that physical way in the previous chapter) that you could consider:

• Recommended: Do not require any identification (even e-mail):
  
  • (UK based, Seems Unavailable at the time of this writing) https://dtmf.io/ [Archive.org] preferred because they even provide an onion hidden service address for direct access through the Tor Network at http://dtmfiovjh42uviqez6qn75igbagtiyo724hy3rdxm77dy2m5tt7lbaqd.onion/
  • (Iceland based) https://crypton.sh [Archive.org]
  • (Ukraine based) https://virtualsim.net/ [Archive.org]
• Do require identification (valid e-mail):
  
  • (Germany based) https://www.sms77.io/ [Archive.org]
  • (Russia based) https://onlinesim.ru/ [Archive.org]

There are some other possibilities listed here https://cryptwerk.com/companies/sms/xmr/ [Archive.org]. Use at your own risk.


DISCLAIMER: I cannot vouch for any of these providers and therefore I will still recommend doing it yourself physically. In this case you will have to rely on the anonymity of Monero and you should not use any service that requires any kind of identification using your real identity. Please do read this Monero Disclaimer.


Therefore IMHO, it is probably just more convenient, cheaper, and less risky to just get a pre-paid SIM card from one of the physical places who still sell them for cash without requiring ID registration. But at least there is an alternative if you have no other option.

Get an USB key:​

Get at least one or two decent size generic USB keys (at least 16GB but I would recommend 32GB).


Please do not buy or use gimmicky self-encrypting devices such as these: https://syscall.eu/blog/2018/03/12/aigo_part1/ [Archive.org]


Some might be very efficient but many are gimmicky gadgets that offer no real protection.

Find some safe places with decent public Wi-Fi:​

You need to find safe places where you will be able to do your sensitive activities using some publicly accessible Wi-Fi (without any account/ID registration, avoid CCTVs).


This can be anywhere that will not be tied to you directly (your home/work) and where you can use the Wi-Fi for a while without being bothered. But also, a place where you can do this without being “noticed” by anyone.


If you think Starbucks is a good idea, you may reconsider:

• They probably have CCTVs in all their shops and keep those recordings for an unknown amount of time.
• You will need to buy a coffee to get the Wi-Fi access code in most. If you pay this coffee with an electronic method, they will be able to tie your Wi-Fi access with your identity.

Situational awareness is key and you should be constantly aware of your surroundings and avoid touristy places like it was plagued by Ebola. You want to avoid appearing on any picture/video of anyone while someone is taking a selfie, making a TikTok video or posting some travel picture on their Instagram. If you do, remember chances are high that those pictures will end up online (publicly or privately) with full metadata attached to them (time/date/geolocation) and your face. Remember these can and will be indexed by Facebook/Google/Yandex/Apple and probably all 3 letters agencies.


While this will not be available yet to your local police officers, it could be in the near future.


You will ideally need a set of 3-5 different places such as this to avoid using the same place twice. Several trips will be required over the weeks for the various steps in this guide.


You could also consider connect to these places from a safe distance for added security. See Appendix Q: Using long range Antenna to connect to Public Wi-Fis from a safe distance.

 

[HEISENBERG]

The Tails route:​

This part of the guide will help you in setting up Tails if one of the following is true:

• You cannot afford a dedicated laptop
• Your dedicated laptop is just too old and too slow
• You have very low IT skills
• You decide to go with Tails anyway

Tails stands for The Amnesic Incognito Live System. It is a bootable Live Operating System running from a USB key that is designed for leaving no traces and forcing all connections through the Tor network.


You pretty much insert the Tails USB key into your laptop, boot from it and you have a full operating system running with privacy and anonymity in mind. As soon as you shut down the computer, everything will be gone unless you saved it somewhere.


Tails is a very easy way to get going in no time with what you have and without much learning. It has extensive documentation and tutorials.


WARNING: Tails is not always up-to-date with their bundled software. And not always up-to-date with the Tor Browser updates either. You should always make sure you are using the latest version of Tails and you should use extreme caution when using bundled apps within Tails that might be vulnerable to exploits and reveal yourlocation265.


It does however have some drawbacks:

• Tails uses Tor and therefore you will be using Tor to access any resource on the internet. This alone will make you suspicious to most platforms where you want to create anonymous accounts (this will be explained in more details later).
• Your ISP (whether it is yours or some public Wi-Fi) will also see that you are using Tor and this could make you suspicious in itself.
• Tails does not include (natively) some of the software you might want to use later which will complicate things quite a bit if you want to run some specific things (Android Emulators for instance).
• Tails uses Tor Browser which while it is very secure will be detected as well by most platforms and will hinder you in creating anonymous identities on many platforms.
• Tails will not protect you more from the 5$wrench8.
• Tor in itself might not be enough to protect you from an adversary with enough resources as explained earlier.

Important Note: If your laptop is monitored/supervised and some local restrictions are in place, please read Appendix U: How to bypass (some) local restrictions on supervised computers.


You should also read Tails Documentation, Warnings, and limitations, before going further https://tails.boum.org/doc/about/warnings/index.en.html [Archive.org]


Taking all this into account and the fact that their documentation is great, I will just redirect you towards their well-made and well-maintained tutorial:


https://tails.boum.org/install/index.en.html [Archive.org], pick your flavor and proceed.


When you are done and have a working Tails on your laptop, go to the Creating your anonymous online identities step much further in this guide.


If you’re having issue accessing Tor due to censorship or other issues, you can try using Tor Bridges by following this Tails tutorial: https://tails.boum.org/doc/first_steps/welcome_screen/bridge_mode/index.en.html [Archive.org] and find more information about these on Tor Documentation https://2019.www.torproject.org/docs/bridges [Archive.org]


If you think using Tor alone is dangerous/suspicious, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option

 

[HEISENBERG]

Persistent Plausible Deniability using Whonix within Tails:​

Consider checking the https://github.com/aforensics/HiddenVM [Archive.org] project for Tails.


This project is a clever idea of a one click self-contained VM solution that you could store on an encrypted disk using plausibledeniability256 (see The Whonix route: first chapters and also for some explanations about Plausible deniability, as well as the How to securely delete specific files/folders/data on your HDD/SSD and Thumb drives: section at the end of this guide for more understanding).


This would allow the creation of a hybrid system mixing Tails with the Virtualization options of the Whonix route in this guide.

Note: See Pick your connectivity method in the Whonix Route for more explanations about Stream Isolation


In short:

• You could run non-persistent Tails from one USB key (following their recommendations)
• You could store persistent VMs within a secondary contained that could be encrypted normally or using Veracrypt plausible deniability feature (these could be Whonix VMs for instance or any other).
• You do benefit from the added Tor Stream Isolation feature (see Tor over VPN for mor info about stream isolation).

In that case as the project outlines it, there should be no traces of any of your activities on your computer and the sensitive work could be done from VMs stored into a Hidden container that should not be easily discoverable by a soft adversary.


This option is particularly interesting for “traveling light” and to mitigate forensics attacks while keeping persistence on your work. You only need 2 USB keys (one with Tails and one with a Veracrypt container containing persistent Whonix). The first USB key will appear to contain just Tails and the second USB will appear to contain just random garbage but will have a decoy volume which you can show for plausible deniability.


You might also wonder if this will result in a “Tor over Tor” setup but it will not. The Whonix VMs will be accessing the network directly through clearnet and not through Tails Onion Routing.


In the future, this could also be supported by the Whonix project themselves as explained here: https://www.whonix.org/wiki/Whonix-Host [Archive.org] but it not yet recommended as of now for end-users.


Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org]


Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means.


See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org]


CAUTION: Please see Appendix K: Considerations for using external SSD drives and Understanding HDD vs SSD sections if you consider storing such hidden VMs on an external SSD drive:

• Do not use hidden volumes on SSD drives as this is not supported/recommended by Veracrypt.
• Use instead file containers instead of encrypted volumes.
• Make sure you do know how to clean data from an external SSD drive properly.

Here is my guide on how to achieve this:

First Run:​

• Download the latest HiddenVM release from https://github.com/aforensics/HiddenVM/releases [Archive.org]
• Download the latest Whonix XFCE release from https://www.whonix.org/wiki/VirtualBox/XFCE [Archive.org]
• Prepare a USB Key/Drive with Veracrypt
  
  • Create a Hidden Volume on the USB/Key Drive (I would recommend at least 16GB for the hidden volume)
  • In the Outer Volume, place some decoy files
  • In the Hidden Volume, place the HiddenVM appimage file
  • In the Hidden Volume, place the Whonix XFCE ova file
• Boot into Tails
• Setup the Keyboard layout as you want.
• Select Additional Settings and set an administrator (root) password (needed for installing HiddenVM)
• Start Tails
• Connect to a safe wi-fi (this is a required step for the rest to work)
• Go into Utilities and Unlock your Veracrypt (hidden) Volume (do not forget to check the hidden volume checkbox)
• Launch the HiddenVM appimage
• When prompted to select a folder, select the Root of the Hidden volume (where the Whonix OVA and HiddenVM app image files are).
• Let it do its thing (This will basically install Virtualbox within Tails with one click)
• When it is done, it should automatically start Virtualbox Manager.
• Import the Whonix OVA files (see Whonix Virtual Machines:)

Note, if during the import you are having issues such as “NS_ERROR_INVALID_ARG (0x80070057)”, this is probably because there is not enough disk space on your Hidden volume for Whonix. Whonix themselves recommend 32GB of free space but that’s probably not necessary and 10GB should be enough for a start. You can try working around this error by renaming the Whonix *.OVA file to *.TAR and decompressing it within Tails. When you are done with decompression, delete the OVA file and import the other files with the Import wizard. This time it might work.

Subsequent Runs:​

• Boot into Tails
• Connect to Wi-Fi
• Unlock your Hidden Volume
• Launch the HiddenVM App
• This should automatically open VirtualBox manager and show your previous VMs from the first run

 

[HEISENBERG]

Steps for all other routes:​

Get a dedicated laptop for your sensitive activities:​

Ideally, you should get a dedicated laptop that will not be tied to you in any easy way (ideally paid with cash anonymously and using the same precautions as previously mentioned for the phone and the SIM card). It is recommended but not mandatory because this guide will help you harden your laptop as much as possible to prevent data leaks through various means. There will be several lines of defense standing between your online identities and yourself that should prevent most adversaries from de-anonymizing you besides state/global actors with considerable resources.


This laptop should ideally be a clean freshly installed Laptop (Running Windows, Linux or MacOS), clean of your normal day to day activities and offline (never connected to the network yet). In the case of a Windows laptop, and if you used it before such a clean install, it should also not be activated (re-installed without a product key). Specifically in the case of MacBooks, it should never have been tied to your identity before in any means. So, buy second-hand with cash from an unknown stranger who does not know your identity


This is to mitigate some future issues in case of online leaks (including telemetry from your OS or Apps) that could compromise any unique identifiers of the laptop while using it (MAC Address, Bluetooth Address, and Product key …). But also, to avoid being tracked back if you need to dispose of the laptop.


If you used this laptop before for different purposes (like your day-to-day activities), all its hardware identifiers are probably known and registered by Microsoft or Apple. If later any of those identifiers is compromised (by malware, telemetry, exploits, human errors …) they could lead back to you.


The laptop should have at least 250GB of Disk Space at least 6GB (ideally 8GB or 16GB) of RAM and should be able to run a couple of Virtual Machines at the same time. It should have a working battery that lasts a few hours.


This laptop could have an HDD (7200rpm) or an SSD/NVMe drive. Both possibilities have their benefits and issues that will be detailed later.


All future online steps performed with this laptop should ideally be done from a safe network such as a Public Wi-Fi in a safe place (see Find some safe places with decent public Wi-Fi). But several steps will have to be taken offline first.

 

[HEISENBERG]

Some laptop recommendations:​

If you can afford it, you might consider getting a Purism Librem laptop(https://puri.sm [Archive.org]) or System76 laptops(https://system76.com/ [Archive.org]) while using Coreboot (where Intel IME is disabled from factory).


In other cases, I would strongly recommend getting Business grade laptops (meaning not consumer/gaming grade laptops) if you can. For instance, some ThinkPad from Lenovo (my personal favorite). Here are lists of laptops currently supporting Libreboot and others where you can flash Coreboot yourself (that will allow you to disable Intel IME or AMD PSP):

• https://freundschafter.com/research...-intel-me-iamt-and-amd-psp-secure-technology/ [Archive.org]
• https://libreboot.org/docs/hardware/ [Archive.org]
• https://coreboot.org/status/board-status.html [Archive.org]

This is because those business laptops usually offer better and more customizable security features (especially in the BIOS/UEFI settings) with longer support than most consumer laptops (Asus, MSI, Gigabyte, Acer…). The interesting features to look for are IMHO:

• Better custom Secure Boot settings (where you can selectively manage all the keys and not just use the Standard ones)
• HDD/SSD passwords in addition to just BIOS/UEFI passwords.
• AMD laptops could be more interesting as some provide the ability to disable AMD PSP (the AMD equivalent of Intel IME) from the BIOS/UEFI settings by default. And, because AFAIK, AMD PSP was audited and contrary to IME was not found to have any “evil” functionalities. However, if you are going for the Qubes OS Route consider Intel as they do not support AMD with their anti-evil-maid system.
• Secure Wipe tools from the BIOS (especially useful for SSD/NVMe drives, see Appendix M: BIOS/UEFI options to wipe disks in various Brands).
• Better control over the disabling/enabling of select peripherals (USB ports, Wi-Fis, Bluetooth, Camera, Microphone …).
• Better security features with Virtualization.
• Native anti-tampering protections.
• Longer support with BIOS/UEFI updates (and subsequent BIOS/UEFI security updates).
• Some are supported by Libreboot

 

[HEISENBERG]

Bios/UEFI/Firmware Settings of your laptop:​

PC:​

These settings can be accessed through the boot menu of your laptop. Here is a good tutorial from HP explaining all the ways to access the BIOS on various computers: https://store.hp.com/us/en/tech-takes/how-to-enter-bios-setup-windows-pcs [Archive.org]


Usually how to access it is pressing a specific key (F1, F2 or Del) at boot (before your OS).


Once you are in there, you will need to apply a few recommended settings:

• Disable Bluetooth completely if you can.
• Disable Biometrics (fingerprint scanners) if you have any if you can. However, you could add a biometric additional check for booting only (pre-boot) but not for accessing the BIOS/UEFI settings.
• Disable the Webcam and Microphone if you can.
• Enable BIOS/UEFI password and use a long passphrase instead of a password (if you can) and make sure this password is required for:
  
  • Accessing the BIOS/UEFI settings themselves
  • Changing the Boot order
  • Startup/Power-on of the device
• Enable HDD/SSD password if the feature is available. This feature will add another password on the HDD/SSD itself (not in the BIOS/UEFI firmware) that will prevent this HDD/SSD from being used in a different computer without the password. Note that this feature is also specific to some manufacturers and could require specific software to unlock this disk from a completely different computer.
• Prevent accessing the boot options (the boot order) without providing the BIOS/UEFI password if you can.
• Disable USB/HDMI or any other port (Ethernet, Firewire, SD card …) if you can.
• Disable Intel ME if you can.
• Disable AMD PSP if you can (AMD’s equivalent to IME, see Your CPU)
• Disable Secure Boot if you intend to use QubesOS as they do not support it out of the box. Keep it on if you intend to use Linux/Windows.
• Check if your laptop BIOS has a secure erase option for your HDD/SSD that could be convenient in case of need.

Only enable those on a “need to use” basis and disable then again after use. This can help mitigate some attacks in case your laptop is seized while locked but still on OR if you had to shut it down rather quickly and someone took possession of it (this topic will be explained later in this guide).

About Secure boot:​

So, what is Secure Boot In short, it is a UEFI security feature designed to prevent your computer from booting an operating system from which the bootloader was not signed by specific keys stored in the UEFI firmware of your laptop.


Basically, when the Operating Systems (or the Bootloader) supports it, you can store the keys of your bootloader in your UEFI firmware and this will prevent booting up any unauthorized Operating System (such as a live OS USB or anything similar).


Secure Boot settings are protected be the password you setup to access the BIOS/UEFI settings. If you have that password, you can disable Secure Boot and allow unsigned OSes to boot on your system. This can help mitigate some Evil-Maid attacks (explained later in this guide).


In most cases Secure Boot is disabled by default or is enabled but in “setup” mode which will allow any system to boot. For Secure Boot to work, your Operating System will have support it and then sign its bootloader and push those signing keys to your UEFI firmware. After that you will have to go to your BIOS/UEFI settings and save those pushed keys from your OS and change the Secure Boot from setup to user mode (or custom mode in some cases).


After doing that step, only the Operating Systems from which your UEFI firmware can verify the integrity of the bootloader will be able to boot.


Most laptops will have some default keys already stored in the secure boot settings. Usually those from the manufacturer itself or from some companies such as Microsoft. So, this means that by default, it will always be possible to boot some USB disks even with secure boot. These includes Windows, Fedora, Ubuntu, Mint, Debian, CentOS, OpenSUSE, Tails, Clonezilla and many others. Secure Boot is however not supported at all by QubesOS at this point.


In some laptops, you can manage those keys and remove the ones you do not want with a “custom mode” to only authorize your own bootloader that you could sign yourself if you really want to.


So, what is Secure Boot protecting you from? It will protect your laptop from booting unsigned bootloaders (by the OS provider) with for instance injected malware.


What is Secure Boot not protecting you from?

• Secure Boot is not encrypting your disk and an adversary can still just remove the disk from your laptop and extract data from it using a different machine. Secure Boot is therefore useless without full disk encryption.
• Secure Boot is not protecting you from a signed bootloader that would be compromised and signed by the manufacturer itself (Microsoft for example in the case of Windows). Most mainstream Linux distributions are signed these days and will boot with Secure Boot enabled.
• Secure Boot can have flaws and exploits like any other system. If you are running an old laptop that does not benefit from new BIOS/UEFI updates, these can be left unfixed.

Additionally, there are number of attacks that could be possible against Secure Boot as explained (in depth) in these technical videos:

• Defcon 22,
  [Invidious]
• BlackHat 2016,
  [Invidious]

So, it can be useful as an added measure against some adversaries but not all. Secure Boot in itself is not encrypting your hard drive. It is an added layer but that is it.


I still recommend you keep it on if you can.

Mac:​

Take a moment to set a firmware password according to the tutorial here: https://support.apple.com/en-au/HT204455 [Archive.org]


You should also enable firmware password reset protection (available from Catalina) according to the documentation here: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web [Archive.org]


This feature will mitigate the possibility for some adversaries to use hardware hacks to disable/bypass your firmware password. Note that this will also prevent Apple themselves from accessing the firmware in case of repair.

 

[HEISENBERG]

Physically Tamper protect your laptop:​

At some point you will inevitably leave this laptop alone somewhere. You will not sleep with it and take it everywhere every single day. You should make it has hard as possible for anyone to tamper with it without you noticing it. This is mostly useful against some limited adversaries that will not use a 5$ wrench against you.


It is important to know that it is trivially easy for some specialists to install a key logger in your laptop, or to just make a clone copy of your hard drive that could later allow them to detect the presence of encrypted data in it using forensic techniques (more on that later).


Here is a good cheap method to make your laptop tamper proof using Nail Polish (with glitter) https://mullvad.net/en/help/how-tamper-protect-laptop/ [Archive.org] (with pictures).


While this is a good cheap method, it could also raise suspicions as it is quite “noticeable” and might just reveal that you “have something to hide”. So, there are more subtle ways of achieving the same result. You could also for instance make a close macro photography of the back screws of your laptop or just use a very small amount of candle wax within one of the screws that could just look like usual dirt. You could then check for tampering by comparing the photographs of the screws with new ones. Their orientation might have changed a bit if your adversary was not careful enough (Tightening them exactly the same way they were before). Or the wax within the bottom of a screw head might have been damaged compared to before.

Same techniques can be used with USB ports where you could just put a tiny amount of candle wax within the plug that would be damaged by inserting an USB key in it.


In riskier environments, check your laptop for tampering before using on a regular basis.

 

[HEISENBERG]

The Whonix route:​

Picking your Host OS (the OS installed on your laptop):​

This route will make extensive use of Virtual Machines, they will require a host OS to run the Virtualization software. You have 3 recommended choices in this part of the guide:

• Your Linux distribution of choice (excluding Qubes OS)
• Windows 10 (preferably Home edition due to the absence of Bitlocker)
• MacOS (Catalina or higher)

In addition, changes are high that your Mac is or has been tied to an Apple account (at the time or purchase or after signing-in) and therefore its unique hardware identifiers could lead back to you in case of hardware identifiers leak.


Linux is also not necessarily the best choice for anonymity depending on your threat model. This is because using Windows will allow us to conveniently use Plausible Deniability (aka Deniable Encryption) easily at the OS level. Windows is also unfortunately at the same time a privacy nightmare but is the only (convenient) option for using OS wide plausible deniability. Windows telemetry and telemetry blocking is also widely documented which should mitigate many issues.


So, what is Plausible Deniability? It is the ability for you to cooperate with an adversary requesting access to your device/data without revealing your true secret. All this using Deniable Encryption.


A soft lawful adversary could ask for your encrypted laptop password. At first you could refuse to give out any password (using your “right to remain silent”, “right not to incriminate yourself”) but some countries are implementing laws to exempt this from such rights (because terrorists and “think of the children”). In that case you might have to reveal the password or maybe face jail time in contempt of court. This is where plausible deniability will come into play.


You could then reveal a password but that password will only give access to “plausible data” (a decoy OS). The forensics will be well aware that it is possible for you to have hidden data but should not be able to prove this (if you do this right). You will have cooperated and the investigators will have access to something but not what you actually want to hide. Since the burden of proof should lie on their side, they will have no options but to believe you unless they have a proof that you have hidden data.


This feature can be used at the OS level (a plausible OS and a hidden OS) or at the files level where you will have an encrypted file container (similar to a zip file) where different files will be shown depending on the encryption password you use.


This also means you could set-up your own advanced “plausible deniability” setup using any Host OS by storing for instance Virtual Machines on a Veracrypt hidden volume container (be careful for traces in the Host OS tho that would need to be cleaned if the host OS is persistent, see Some additional measures against forensics section later). There is a project for achieving this within Tails(https://github.com/aforensics/HiddenVM [Archive.org]) which would make your Host OS non persistent and use plausible deniability within Tails.


In the case of Windows, plausible deniability is also the reason you should ideally have Windows 10 Home (and not Pro). This is because Windows 10 Pro natively offers a full-disk encryption system (Bitlocker) where Windows 10 Home offers no full-disk encryption at all. We will later use a third-party open-source software for encryption that will allow full-disk encryption on Windows 10 Home. This will give you a good (plausible) excuse to use this software. While using this software on Windows 10 Pro would be suspicious.


Note about Linux: So, what about Linux and plausible deniability? Yes, it is kind of possible to achieve plausible deniability with Linux too. But it is complicated to set-up and IMHO requires a skill level high enough that you probably do not need this guide to help you try it.


Unfortunately, encryption is not magic and there are some risks involved:

Threats with encryption:​

The 5$ Wrench:​

Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org]


Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means. Avoid, if possible, the use of plausible deniability capable software (such as Veracrypt) if your threat model includes hard adversaries. So, Windows users should in that case install Windows Pro as a Host OS and use Bitlocker instead.


See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org]

Evil-Maid Attack:​

Evil Maid Attacks are conducted when someone tampers with your laptop while you are away. For install to clone your hard drive, install malware or a key logger. If they can clone your hard drive, they can compare one image of your hard drive at the time they took it while you were away with the hard drive when they seize it from you. If you used the laptop again in between, forensics examiners might be able to prove the existence of the hidden data by looking at the variations between the two images in what should be an empty/unused space. This could lead to strong evidence of the existence of a hidden data. If they install a key logger or malware within your laptop (software or hardware), they will be able to simply get the password from you for later use when they seize it. Such attacks can be done at your home, your hotel, a border crossing or anywhere you leave your devices unattended.


You can mitigate this attack by doing the following (as recommended earlier):

• Have a basic tamper protection (as explained previously) to prevent physical access to the internals of the laptop without your knowing. This will prevent them from cloning your disks and installing a physical key logger without your knowledge.
• Disable all the USB ports (as explained previously) within a password protected BIOS/UEFI. Again, they will not be able to turn them on (without physically accessing the motherboard to reset the BIOS) to boot a USB device that could clone your hard drive or install a software-based malware that could act as a key logger.
• Set-up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device.
• Some OSes and Encryption software have anti-EvilMaid protection that can be enabled. This is the case with Windows/Veracrypt and QubeOS.

Cold-Boot Attack:​

Cold Boot attacks are trickier than the Evil Maid Attack but can be part of an Evil Maid attack as it requires an adversary to come into possession of your laptop while you are actively using your device or shortly afterward.


The idea is rather simple, as shown in this video, an adversary could theoretically quickly boot your device on a special USB key that would copy the content of the RAM (the memory) of the device after you shut it down. If the USB ports are disabled or if they feel like they need more time, they could open it and “cool down” the memory using a spray or other chemicals (liquid nitrogen for instance) preventing the memory decaying. They could then be able to copy its content for analysis. This memory dump could contain the key to decrypt your device. We will later apply a few principles to mitigate these.


In the case of Plausible Deniability, there have been some forensics studies about technically proving the presence of the hidden data with a simple forensic examination (without a Cold Boot/Evil Maid Attack) but these have been contested by other studies and by the maintainer of Veracrypt so I would not worry too much about those yet.


The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones:

• If your OS or Encryption software allows it, you should consider encrypting the keys within RAM too (this is possible with Windows/Veracrypt and will be explained later)
• You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM when your computer goes to sleep. This is because sleep will maintain power to your memory for resuming your activity faster. Only hibernation and shutdown will actually clear the key from the memory.

See also https://www.whonix.org/wiki/Cold_Boot_Attack_Defense [Archive.org] and https://www.whonix.org/wiki/Protection_Against_Physical_Attacks [Archive.org]


Here are also some interesting tools to consider for Linux users to defend against these:

• https://github.com/0xPoly/Centry [Archive.org] (unfortunately unmaintained it seems so I made a fork and pull request updating for Veracrypt https://github.com/AnonymousPlanet/Centry [Archive.org] which should still work)
• https://github.com/hephaest0s/usbkill [Archive.org] (unfortunately unmaintained as well it seems)
• https://github.com/Lvl4Sword/Killer [Archive.org]
• https://askubuntu.com/questions/153245/how-to-wipe-ram-on-shutdown-prevent-cold-boot-attacks [Archive.org]
• (Qubes OS, Intel CPU only) https://github.com/QubesOS/qubes-antievilmaid [Archive.org]

About Sleep, Hibernation and Shutdown:​

If you want the better security, you should shut down your laptop completely every time you leave it unattended or close the lid. This should clean and/or release the RAM and provide mitigations against cold boot attacks. However, this can be a bit inconvenient as you will have to reboot completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation instead (not supported on Qubes OS). Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shutdown your laptop and clear the memory while allowing you to conveniently resume your work afterward. What you should never do it use the standard sleep feature which will keep your computer on and the memory powered. This is an attack vector against evil-maid and cold-boot attacks discussed earlier. This is because your powered on memory holds the encryption keys to your disk (encrypted or not) and could then be accessed by a skilled adversary.


This guide will provide guidance later on how to enable hibernation on various host OSes (except Qubes OS) if you do not want to shut down every time.

Local Data Leaks (traces) and forensics examination:​

As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your computer. These mostly apply to encrypted file containers (with or without plausible deniability) than OS wide encryption. Such leaks are less “important” if your whole OS is encrypted (if you are not compelled to reveal the password).


Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use when mounting the USB key, it will open a decoy folder or the sensitive folder. Within those folders, you will have decoy documents/data within the decoy folder and sensitive documents/data within the sensitive folder.


In all cases, you will (most likely) open these folders with Windows Explorer, MacOS Finder or any other utility and do whatever you planned to do. Maybe you will edit a document within the sensitive folder. Maybe you will search a document within the folder. Maybe you will delete one or watch a sensitive video using VLC.


Well, all those Apps and your Operating System might keep logs and traces of that usage. This might include the full path of the folder/files/drives, the time those were accessed, temporary caches of those files, the “recent” lists in each apps, the file indexing system that could index the drive and even thumbnails that could be generated


Here are some examples of such leaks:

Windows:​

• Windows ShellBags that are stored within the Windows Registry silently storing various histories of accessed volumes/files/folders.
• Windows Indexing keeping traces of the files present in your user folder by default.
• Recent lists (aka Jump Lists) in Windows and various apps keeping traces of recently accessed documents.
• Many more traces in various logs, please see this convenient interesting poster for more insight: https://www.sans.org/security-resources/posters/windows-forensic-analysis/170/download [Archive.org]

MacOS:​

• Gatekeeper290 and XProtect keeping track of your download history in a local database and file attributes.
• Spotlight Indexing
• Recent lists in various apps keeping traces of recently accessed documents.
• Temporary folders keeping various traces of App usage and Document usage.
• MacOS Logs
• …

Linux:​

• Tracker Indexing
• Bash History
• USB logs
• Recent lists in various apps keeping traces of recently accessed documents.
• Linux Logs
• …

Forensics could use all those leaks (see Local Data Leaks and Forensics) to prove the existence of hidden data and defeat your attempts at using plausible deniability and to find out about your various sensitive activities.


It will be therefore important to apply various steps to prevent forensics from doing this by preventing and cleaning these leaks/traces and more importantly by using whole disk encryption, virtualization, and compartmentalization.


Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the drive or by securely erasing your virtual machines (which is not as easy as you think on SSD drives).


Some cleaning techniques will nevertheless be covered in the “Cover your Tracks” part of this guide at the very end.

Online Data Leaks:​

Whether you are using simple encryption or plausible deniability encryption. Even if you covered your tracks on the computer itself. There is still a risk of online data leaks that could reveal the presence of hidden data.


Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering amounts of private information online.


In the case of Windows, this data could for instance be used to prove the existence of a hidden OS / Volume on a computer and would be readily available at Microsoft. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No matter what OS you are using.

Conclusion:​

You should never conduct sensitive activities from a non-encrypted system. And even if it is encrypted, you should probably never conduct sensitive activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and prevent local data leaks.


If you have little to no knowledge of Linux or if you want to use OS wide plausible deniability, I would recommend going for Windows (or back to the Tails route) for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you hardening MacOS and Linux as much as possible to prevent similar leaks.


If you have no interest for OS wide plausible deniability and want to learn to use Linux, I would strongly recommend going for Linux or the Qubes route if your hardware allows it.


In all cases, the host OS should never be used to conduct sensitive activities directly. The host OS will only be used to connect to a public Wi-Fi Access Point. It will be left unused while you conduct sensitive activities and should ideally not be used for any of your day-to-day activities.


Consider also reading https://www.whonix.org/wiki/Full_Disk_Encryption#Encrypting_Whonix_VMs [Archive.org]

 

[HEISENBERG]

Linux Host OS:​

As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risks.


I also recommend that you do the initial installation completely offline to avoid any data leak.


You should always remember that despite the reputation, Linux mainstream distributions (Ubuntu for instance) are not necessarily better at security than other systems such as MacOS and Windows. See this reference to understand why https://madaidans-insecurities.github.io/linux.html [Archive.org].

Full disk encryption:​

There are two possibilities here with Ubuntu:

• (Recommended and easy) Encrypt as part of the installation process: https://ubuntu.com/tutorials/install-ubuntu-desktop [Archive.org]
  
  • This process requires the full erasure of your entire drive (clean install).
  • Just check the “Encrypt the new Ubuntu installation for security”
• (Tedious but possible) Encrypt after installation: https://help.ubuntu.com/community/ManualFullSystemEncryption [Archive.org]

For other distros, you will have to document yourself but it will likely be similar. Encryption during install is just much easier in the context of this guide.

Reject/Disable any telemetry:​

• During the install, just make sure you do not allow any data collection if prompted.
• If you are not sure, just make sure you did not enable any telemetry and follow this tutorial if needed https://vitux.com/how-to-force-ubuntu-to-stop-collecting-your-data-from-your-pc/ [Archive.org]
• Any other distro: You will need to document yourself and find out yourself how to disable telemetry if there is any.

Disable anything unnecessary:​

• Disable Bluetooth if enabled by following this guide https://www.addictivetips.com/ubuntu-linux-tips/disable-bluetooth-in-ubuntu/ [Archive.org] or issuing the following command:
  
  • sudo systemctl disable bluetooth.service --force
• Disable Indexing if enabled by default (Ubuntu >19.04) by following this guide https://www.linuxuprising.com/2019/07/how-to-completely-disable-tracker.html [Archive.org] or issuing the following commands:
  
  • sudo systemctl --user mask tracker-store.service tracker-miner-fs.service tracker-miner-rss.service tracker-extract.service tracker-miner-apps.service tracker-writeback.service
    
    • You can safely ignore any error if it says some service does not exist
  • sudo tracker reset -hard

Hibernation:​

As explained previously, you should not use the sleep features but shutdown or hibernate your laptop to mitigate some evil-maid and cold-boot attacks. Unfortunately, this feature is disabled by default on many Linux distros including Ubuntu. It is possible to enable it but it might not work as expected. Follow this information at your own risk. If you do not want to do this, you should never use the sleep function and power off instead (and probably set the lid closing behavior to power off instead of sleep).


Follow one of these tutorials to enable Hibernate:

• https://www.how2shout.com/linux/how-to-hibernate-ubuntu-20-04-lts-focal-fossa/ [Archive.org]
• http://www.lorenzobettini.it/2020/07/enabling-hibernation-on-ubuntu-20-04/ [Archive.org]
• https://blog.ivansmirnov.name/how-to-set-up-hibernate-on-ubuntu-20-04/ [Archive.org]

After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu 20.04 http://ubuntuhandbook.org/index.php/2020/05/lid-close-behavior-ubuntu-20-04/ [Archive.org] and this tutorial for Ubuntu 18.04 https://tipsonubuntu.com/2018/04/28/change-lid-close-action-ubuntu-18-04-lts/ [Archive.org]


Unfortunately, this will not clean the key from memory directly from memory when hibernating. To avoid this at the cost of some performance, you might consider encrypting the swap file by following this tutorial: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap [Archive.org]


These settings should mitigate cold boot attacks if you can hibernate fast enough.

Enable MAC address randomization:​

• Ubuntu, follow these steps https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses [Archive.org].
• Any other distro: you will have to find the documentation yourself but it should be quite similar to the Ubuntu tutorial.
• Consider this tutorial which should still work: https://josh.works/shell-script-basics-change-mac-address [Archive.org]

Hardening Linux:​

As a light introduction for new Linux users, consider

[Invidious]


For more in-depth and advanced options, refer to:

• This excellent guide: https://madaidans-insecurities.github.io/guides/linux-hardening.html [Archive.org]
• This excellent wiki resource: https://wiki.archlinux.org/title/Security [Archive.org]
• These excellent scripts based on the guide and wiki above: https://codeberg.org/SalamanderSecurity/PARSEC [Archive.org]

Setting up a safe Browser:​

See Appendix G: Safe Browser on the Host OS

 

[HEISENBERG]

MacOS Host OS:​

Note: At this time, this guide will not support ARM M1 MacBooks (yet). Due to Virtualbox not supporting this architecture yet. It could however be possible if you use commercial tools like VMWare or Parallels but those are not covered in this guide.


As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risks.


I also recommend that you do the initial installation completely offline to avoid any data leak.


Do not ever sign in with your Apple account using that Mac.

During the install:​

• Stay Offline
• Disable all data sharing requests when prompted including location services
• Do not sign-in with Apple
• Do not enable Siri

Hardening MacOS:​

As a light introduction for new MacOS users, consider

[Invidious]


Now to go more in-depth in securing and hardening your MacOS, I recommend reading this GitHub guide which should cover many of the issues: https://github.com/drduh/macOS-Security-and-Privacy-Guide [Archive.org]


Here are the basic steps you should take after your offline installation:

Enable Firmware password with “disable-reset-capability” option:​

First you should set-up a firmware password following this guide from Apple: https://support.apple.com/en-us/HT204455 [Archive.org]


Unfortunately, some attacks are still possible and an adversary could disable this password so you should also follow this guide to prevent disabling the firmware password from anyone including Apple: https://support.apple.com/en-gb/guide/security/sec28382c9ca/web [Archive.org]

Enable Hibernation instead of sleep:​

Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close the lid. You should always either hibernate or shutdown. On MacOS, the hibernate feature even has a special option to specifically clear the encryption key from memory when hibernating (while you might have to wait for the memory to decay on other Operating Systems). Once again there are no easy options to do this within the settings so instead, we will have to do this by running a few commands to enable hibernation:

• Open a Terminal
• Run: sudo pmset -a destroyfvkeyonstandby 1
  
  • This command will instruct MacOS to destroy the Filevault key on Standby (sleep)
• Run: sudo pmset -a hibernatemode 25
  
  • This command will instruct MacOS to power off the memory during sleep instead of doing a hybrid hibernate that keeps the memory powered on. It will result in slower wakes but will increase battery life.

Now when you close the lid of your MacBook, it should hibernate instead of sleep and mitigate attempts at performing cold-boot attacks.


In addition, you should also setup an automatic sleep (Settings > Energy) to that your MacBook will hibernate automatically if left unattended.

Disable unnecessary services:​

Disable some unnecessary settings within the settings:

• Disable Bluetooth
• Disable the Camera and Microphone
• Disable Location Services
• Disable Airdrop
• Disable Indexing

Prevent Apple OCSP calls:​

These are the infamous “unblockable telemetry” calls from MacOS Big Sur disclosed here: https://sneak.berlin/20201112/your-computer-isnt-yours/ [Archive.org]


You could block OCSP reporting by issuing the following command in Terminal:

• sudo sh -c 'echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts'

But you should probably document yourself on the actual issue before acting. This page is a good place to start: https://blog.jacopo.io/en/post/apple-ocsp/ [Archive.org]


Up to you really. I would block it because I do not want any telemetry at all from my OS to the mothership without my specific consent. None.

Enable Full Disk encryption (Filevault):​

You should enable full disk encryption on your Mac using Filevault according to this part of the guide: https://github.com/drduh/macOS-Security-and-Privacy-Guide#full-disk-encryption [Archive.org]


Be careful when enabling. Do not store the recovery key at Apple if prompted (should not be an issue since you should be offline at this stage). You do not want a third party to have your recovery key obviously.

MAC Address Randomization:​

Unfortunately, MacOS does not offer a native convenient way of randomizing your MAC Address and so you will have to do this manually. This will be reset at each reboot and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting to various Wi-Fis


You can do by issuing the following commands in terminal (without the parentheses):

• (Turn the Wi-Fi off) networksetup -setairportpower en0 off
• (Change the MAC Address) sudo ifconfig en0 ether 88:63:11:11:11:11
• (Turn the Wi-Fi back on) networksetup -setairportpower en0 on

Setting up a safe Browser:​

See Appendix G: Safe Browser on the Host OS

Windows Host OS:​

As mentioned earlier, I do not recommend using your daily laptop for very sensitive activities. Or at least I do not recommend using your in-place OS for these. Doing that might result in unwanted data leaks that could be used to de-anonymize you. If you have a dedicated laptop for this, you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at your own risks.


I also recommend that you do the initial installation completely offline to avoid any data leak.

Installation:​

You should follow Appendix A: Windows Installation


As a light introduction, consider watching

[Invidious]

Enable MAC address randomization:​

You should randomize your MAC address as explained earlier in this guide:


Go into Settings > Network & Internet > Wi-Fi > Enable Random hardware addresses


Alternatively, you could use this free piece of software: https://technitium.com/tmac/ [Archive.org]

Setting up a safe Browser:​

See Appendix G: Safe Browser on the Host OS

Enable some additional privacy settings on your Host OS:​

See Appendix B: Windows Additional Privacy Settings

Windows Host OS encryption:​

If you intend to use system-wide plausible deniability:​

Veracrypt is the software I will recommend for full disk encryption, file encryption and plausible deniability. It is a fork of the well-known but deprecated and unmaintained TrueCrypt. It can be used for

• Full Disk simple encryption (your hard drive is encrypted with one passphrase).
• Full Disk encryption with plausible deniability (this means that depending on the passphrase entered at boot, you will either boot a decoy OS or a hidden OS).
• File container simple encryption (it is a large file that you will be able to mount within Veracrypt as if it was an external drive to store encrypted files within).
• File container with plausible deniability (it is the same large file but depending on the passphrase you use when mounting it, you will either mount a “hidden volume” or the “decoy volume”).

It is to my knowledge the only (convenient and usable by anyone) free, open-source and openly audited encryption software that also provides plausible deniability for general use and it works with Windows Home Edition.


Go ahead and download and install Veracrypt from: https://www.veracrypt.fr/en/Downloads.html [Archive.org]


After installation, please take a moment to review the following options that will help mitigate some attacks:

• Encrypt the memory with a Veracrypt option (settings > performance/driver options > encrypt RAM) at a cost of 5-15% performance. This setting will also disable hibernation (which does not actively clear the key when hibernating) and instead encrypt the memory altogether to mitigate some cold-boot attacks.
• Enable the Veracrypt option to wipe the keys from memory if a new device is inserted (system > settings > security > clear keys from memory if a new device is inserted). This could help in case your system is seized while still on (but locked).
• Enable the Veracrypt option to mount volumes as removable volumes (Settings > Preferences > Mount volume as removable media). This will prevent Windows from writing some logs about your mounts in the Event logs and prevent some local data leaks.
• Be careful and have a good situational awareness, if you sense something weird. Shut your laptop down as fast as possible.
• While Veracrypt newer versions do support Secure Boot, I would recommend disabling it from the BIOS as I prefer Veracrypt Anti-Evil Maid system over Secure Boot.

If you do not want to use encrypted memory (because performance might be an issue), you should at least enable hibernation instead of sleep. This will not clear the keys from memory (you are still vulnerable to cold boot attacks) but at least should mitigate them somewhat if your memory has enough time to decay.


More details later in Route A and B: Simple Encryption using Veracrypt (Windows tutorial).

If you do not intend to use system-wide plausible deniability:​

For this case, I will recommend the use of BitLocker instead of Veracrypt for the full disk encryption. The reasoning is that BitLocker does not offer a plausible deniability possibility contrary to Veracrypt. A hard adversary has then no incentive in pursuing his “enhanced” interrogation if you reveal the passphrase.


Normally, you should have installed Windows Pro in this case and BitLocker setup is quite straight-forward.


Basically you can follow the instructions here: https://support.microsoft.com/en-us...cryption-0c453637-bc88-5f74-5105-741561aae838 [Archive.org]


But here are the steps:

• Click the Windows Menu
• Type “Bitlocker”
• Click “Manage Bitlocker”
• Click “Turn On Bitlocker” on your System Drive
• Follow the instructions
  
  • Do not save your recovery key to a Microsoft Account if prompted.
  • Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft Print to PDF printer and save the key within the Documents folder.
  • Encrypt Entire Drive (do not encrypt the used disk space only).
  • Use “New Encryption Mode”
  • Run the BitLocker Check
  • Reboot
• Encryption should now ne started in the background (you can check by clicking the Bitlocker icon in the lower right side of the taskbar).

Enable Hibernation (optional):​

Again, as explained earlier. You should never use the sleep feature to mitigate some cold-boot and evil-maid attacks. Instead, you should Shut down or hibernate. You should therefore switch your laptop for sleeping to hibernating when closing the lid or when your laptop goes to sleep.


(Note that you cannot enable hibernation if you previously enabled RAM encryption within Veracrypt)


The reason is that Hibernation will actually shutdown your laptop completely and clean the memory. Sleep on the other hand will leave the memory powered on (including your decryption key) and could leave your laptop vulnerable to cold-boot attacks.


By default, Windows 10 might not offer you this possibility so you should enable it by following this Microsoft tutorial: https://docs.microsoft.com/en-us/tr.../deployment/disable-and-re-enable-hibernation [Archive.org]

• Open an administrator command prompt (right click on Command Prompt and “Run as Administrator”)
• Run: powercfg.exe /hibernate on
• Now run the additional command: **powercfg /h /type full**
  
  • This command will make sure your hibernate mode is full and will fully clean the memory (not securely tho).

After that you should go into your power settings:

• Open the Control Panel
• Open System & Security
• Open Power Options
• Open “Choose what the power button does”
• Change everything from sleep to hibernate or shutdown
• Go back to the Power Options
• Select Change Plan Settings
• Select Advanced Power Settings
• Change all the Sleep Values for each Power Plan to 0 (Never)
• Make sure Hybrid Sleep is Off for each Power Plan
• Enable Hibernate After the time you would like
• Disable all the Wake timers

Deciding which sub-route you will take:​

Now you will have to pick your next step between two options:

• Route A: Simple encryption of your current OS
  
  • Pros:
    
    • Does not require you to wipe your laptop
    • No issue with local data leaks
    • Works fine with an SSD drive
    • Works with any OS
    • Simple
  • Cons:
    
    • You could be compelled by adversary to reveal your password and all your secrets and will have no plausible deniability.
    • Danger of Online data leaks
• Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves:
  
  • Pros:
    
    • Does not require you to wipe your laptop
    • Works fine with an SSD drive
    • Works with any OS
    • Plausible deniability possible with “soft” adversaries
  • Cons:
    
    • Danger of Online Data leaks
    • Danger of Local Data leaks (that will lead to more work to clean up those leaks)
• Route C: Plausible Deniability Encryption of your Operating system (you will have a “hidden OS” and a “decoy OS” running on the laptop):
  
  • Pros:
    
    • No issues with local Data leaks
    • Plausible deniability possible with “soft” adversaries
  • Cons:
    
    • Requires Windows (this feature is not “easily” supported on Linux).
    • Danger of online Data leaks
    • Requires full wipe of your laptop
    • No use with an SSD drive due to requirement of disabling Trim Operations. This will severely degrade the performance/health of your SSD drive over time.

As you can see, Route C only offers two privacy advantages over the others and it will only be of use against a soft lawful adversary. Remember https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis [Wikiless] [Archive.org].


Deciding which route you will take is up to you. Route A is a minimum.


Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches. Especially check this before applying large Windows updates that might break the Veracrypt bootloader and send you into a boot loop.


NOTE THAT BY DEFAULT VERACRYPT WILL ALWAYS PROPOSE A SYSTEM PASSWORD IN QWERTY (display the password as a test). This can cause issues if your boot input is using your laptop’s keyboard (AZERTY for example) as you will have setup your password in QWERTY and will input it at boot time in AZERTY. So, make sure you check when doing the test boot what keyboard layout your BIOS is using. You could fail to log-in just because the QWERTY/AZERTY mix-up. If your BIOS boots using AZERTY, you will need to type the password in QWERTY within Veracrypt.

Route A and B: Simple Encryption using Veracrypt (Windows tutorial)​

Skip this step if you used BitLocker instead earlier.


You do not have to have an HDD for this method and you do not need to disable Trim on this route. Trim leaks will only be of use to forensics in detecting the presence of a Hidden Volume but will not be of much use otherwise.


This route is rather straightforward and will just encrypt your current Operating System in place without losing any data. Be sure to read all the texts Veracrypt is showing you so you have a full understanding of what is going on.

• Launch VeraCrypt
• Go into Settings:
  
  • Settings > Performance/driver options > Encrypt RAM
  • System > Settings > Security > Clear keys from memory if a new device is inserted
  • System > Settings > Windows > Enable Secure Desktop
• Select System
• Select Encrypt System Partition/Drive
• Select Normal (Simple)
• Select Single-Boot
• Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
• Select SHA-512 as hash Algorithm (because why not)
• Enter a strong passphrase (longer the better, remember Appendix A2: Guidelines for passwords and passphrases)
• Collect some entropy by randomly moving your cursor around until the bar is full
• Click Next as the Generated Keys screen
• To rescue disk or not rescue disk, well that is up to you. I recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance, or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
• Wipe mode:
  
  • If you have no sensitive data yet on this laptop, select None
  • If you have sensitive data on an SSD, Trim alone should take care of it but I would recommend 1 pass (random data) just to be sure.
  • If you have sensitive data on an HDD, there is no Trim and I would recommend at least 1-pass.
• Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
• After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
• Start the encryption and wait for it to complete.
• You are done, skip Route B and go the next steps.

There will be another section on creating encrypted file containers with Plausible Deniability on Windows.

Route B: Plausible Deniability Encryption with a Hidden OS (Windows only)​

This is only supported on Windows.


This is only recommended on an HDD drive. This is not recommended on an SSD drive.


Your Hidden OS should not be activated (with a MS product key). Therefore, this route will recommend and guide you through a full clean installation that will wipe everything on your laptop.


Read the Veracrypt Documentation https://www.veracrypt.fr/en/VeraCrypt Hidden Operating System.html [Archive.org] (Process of Creation of Hidden Operating System part) and https://www.veracrypt.fr/en/Security Requirements for Hidden Volumes.html [Archive.org] (Security Requirements and Precautions Pertaining to Hidden Volumes).


This is how your system will look after this process is done:

(Illustration from Veracrypt Documentation, https://veracrypt.fr/en/VeraCrypt Hidden Operating System.html [Archive.org])


As you can see this process requires you to have two partitions on your hard drive from the start.


This process will do the following:

• Encrypt your second partition (the outer volume) that will look like an empty unformatted disk from the decoy OS.
• Prompt you with the opportunity to copy some decoy content within the outer volume.
  
  • This is where you will copy your decoy Anime/Porn collection from some external hard drive to the outer volume.
• Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside.
• Clone your currently running Windows 10 installation onto the hidden volume.
• Wipe your currently running Windows 10.
• This means that your current Windows 10 will become the hidden Windows 10 and that you will need to reinstall a fresh decoy Windows 10 OS.

Mandatory if you have an SSD drive and you still want to do this against the recommendation: Disable SSD Trim in Windows (again this is NOT recommended at all as disabling Trim in itself is highly suspicious).Also as mentioned earlier, disabling Trim will reduce the lifetime of your SSD drive and will significantly impact its performance over time (your laptop will become slower and slower over several months of use until it becomes almost unusable, you will then have to clean the drive and re-install everything). But you must do it to prevent data leaks that could allow forensics to defeat your plausible deniability. The only way around this at the moment is to have a laptop with a classic HDD drive instead.

 

[HEISENBERG]

Step 1: Create a Windows 10 install USB key​

See Appendix C: Windows Installation Media Creation and go with the USB key route.

Step 2: Boot the USB key and start the Windows 10 install process (Hidden OS)​

• Insert the USB key into your laptop
• See Appendix A: Windows Installation and proceed with installing Windows 10 Home.

Step 3: Privacy Settings (Hidden OS)​

See Appendix B: Windows Additional Privacy Settings

Step 4: Veracrypt installation and encryption process start (Hidden OS)​

Remember to read https://www.veracrypt.fr/en/VeraCrypt Hidden Operating System.html [Archive.org]


Do not connect this OS to your known Wi-Fi. You should download Veracrypt installer from a different computer and copy the installer here using an USB key.

• Install Veracrypt
• Start Veracrypt
• Go into Settings:
  
  • Settings > Performance/driver options > Encrypt RAM(note that this option is not compatible with Hibernation your laptop and means you will have to shut down completely)
  • System > Settings > Security > Clear keys from memory if a new device is inserted
  • System > Settings > Windows > Enable Secure Desktop
• Go into System and select Create Hidden Operating System
• Read all the prompts with thoroughly
• Select Single-Boot if prompted
• Create the Outer Volume using AES and SHA-512.
• Use all the space available on the second partition for the Outer Volume
• Use a strong passphrase (remember Appendix A2: Guidelines for passwords and passphrases)
• Select yes to Large Files
• Create some Entropy by moving the mouse around until the bar is full and select NTFS (do not select exFAT as we want this outer volume to look “normal” and NTFS is normal).
• Format the Outer Volume
• Open Outer Volume:
  
  • At this stage, you should copy decoy data onto the outer volume. So, you should have some sensitive but not so sensitive files/folders to copy there. In case you need to reveal a password to this Volume. This is a good place for your Anime/Mp3/Movies/Porn collection.
  • I recommend you do not fill the outer volume too much or too little (about 40%). Remember you must leave enough space for the Hidden OS (which will be same size as the first partition you created during installation).
• Use a strong passphrase for the Hidden Volume (obviously a different one than the one for the Outer Volume).
• Now you will create the Hidden Volume, select AES and SHA-512
• Fill the entropy bar until the end with random mouse movements
• Format the hidden Volume
• Proceed with the Cloning
• Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume. This Windows will become your Hidden OS.
• When the cloning is complete, Veracrypt will restart within the Hidden System
• Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS (the one you installed previously with the USB key).
• Use 1-Pass Wipe and proceed.
• Now your Hidden OS will be installed, proceed to next step

Step 5: Reboot and boot the USB key and start the Windows 10 install process again (Decoy OS)​

Now that the Hidden OS is fully installed, you will need to install a Decoy OS.

• Insert the USB key into your laptop
• See Appendix A: Windows Installation and proceed with installing Windows 10 Home again (do not Install a different version and stick with Home).

Step 6: Privacy settings (Decoy OS)​

See Appendix B: Windows Additional Privacy Settings

Step 7: Veracrypt installation and encryption process start (Decoy OS)​

Now we will encrypt the Decoy OS:

• Install Veracrypt
• Launch VeraCrypt
• Select System
• Select Encrypt System Partition/Drive
• Select Normal (Simple)
• Select Single-Boot
• Select AES as encryption Algorithm (click the test button if you want to compare the speeds)
• Select SHA-512 as hash Algorithm (because why not)
• Enter a short weak password (yes this is serious, do it, it will be explained later).
• Collect some entropy by randomly moving your cursor around until the bar is full
• Click Next as the Generated Keys screen
• To rescue disk or not rescue disk, well that is up to you. I recommend making one (just in case), just make sure to store it outside your encrypted drive (USB key for instance, or wait and see the end of this guide for guidance on safe backups). This rescue disk will not store your passphrase and you will still need it to use it.
• Wipe mode: Select 1-Pass just to be safe
• Pre-Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go forward.
• After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process.
• Start the encryption and wait for it to complete.
• Your Decoy OS is now ready for use.

Step 8: Test your setup (Boot in Both)​

Time to test your setup.

• Reboot and input your Hidden OS passphrase, you should boot within the Hidden OS.
• Reboot and input your Decoy OS passphrase, you should boot within the Decoy OS.
• Launch Veracrypt on the Decoy OS and mount the second partition using the Outer Volume Passphrase (mount it as read-only, by going into Mount Options and Selecting Read-Only) and it should mount the second partition as a read-only displaying your decoy data (your Anime/Porn collection). You are mounting it as read-only now because if you were to write data on it, you could override content from your Hidden OS.

Step 9: Changing the decoy data on your Outer Volume safely​

Before going to next step, you should learn the way to mount your Outer Volume safely for writing content on it. This is also explained in this official Veracrypt Documentation https://www.veracrypt.fr/en/Protection of Hidden Volumes.html [Archive.org]


You should do this from a safe trusted place.


Basically, you are going to mount your Outer Volume while also providing the Hidden Volume passphrase within the Mount Options to protect the Hidden Volume from being overwritten. Veracrypt will then allow you write data to the Outer volume without risking overwriting any data on the Hidden Volume.


This operation will not actually mount the Hidden Volume and should prevent the creation of any forensic evidence that could lead to the discovery of the Hidden OS. However, while you are performing this operation, both passwords will be stored in your RAM and therefore you could still be susceptible to a Cold-Boot Attack. To mitigate this, be sure to have the option to encrypt your RAM too.

• Open Veracrypt
• Select your Second Partition
• Click Mount
• Click Mount Options
• Check the “Protect the Hidden volume…” Option
• Enter the Hidden OS passphrase
• Click OK
• Enter your Outer Volume passphrase
• Click OK
• You should now be able to open and write to your Outer volume to change the content (copy/move/delete/edit…)

Step 10: Leave some forensics evidence of your outer Volume (with the decoy Data) within your Decoy OS​

We must make the Decoy OS as plausible as possible. We also want your adversary to think you are not that smart.


Therefore, it is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS. This evidence will let forensic examiners see that you mounted your Outer Volume frequently to access its content.


Here are good tips to leave some forensics evidence:

• Play the content from the Outer Volume from your Decoy OS (using VLC for instance). Be sure to keep a history of those.
• Edit Documents and work in them.
• Enable File Indexing again on the Decoy OS and include the Mounted Outer Volume.
• Unmount it and mount it frequently to watch some Content.
• Copy some Content from your Outer Volume to your Decoy OS and then delete it unsafely (just put it in the recycle Bin).
• Have a Torrent Client installed on the Decoy OS use it from time to time to Download some similar stuff that you will leave on the Decoy OS.
• You could have a VPN client installed on the Decoy OS with a known VPN of yours (non-cash paid).

Do not put anything suspicious on the Decoy OS such as:

• This guide
• Any links to this guide
• Any suspicious anonymity software such as Tor Browser

Notes:​

Remember that you will need valid excuses for this plausible deniability scenario to work:


Take some time to read again the “Possible Explanations for Existence of Two Veracrypt Partitions on Single Drive” of the Veracrypt documentation here https://www.veracrypt.fr/en/VeraCrypt Hidden Operating System.html [Archive.org]

• You are using Veracrypt because you are using Windows 10 Home which does not feature Bitlocker but still wanted Privacy.
• You have two Partitions because you wanted to separate the System and the Data for easy organization and because some Geek friend told you this was better for performance.
• You have used a weak password for easy convenient booting on the System and a Strong long passphrase on the Outer Volume because you were too lazy to type a strong passphrase at each boot.
• You encrypted the second Partition with a different password than the System because you do not want anyone in your entourage to see your stuff. And so, you did not want that data available to anyone.

Be careful:

• You should never mount the Hidden Volume from the Decoy OS (NEVER EVER). If you did this, it will create forensics evidence of the Hidden Volume within the Decoy OS that could jeopardize your attempt at plausible deniability. If you did this anyway (intentionally or by mistake) from the Decoy OS, there are ways to erase forensics evidence that will be explained later at the end of this guide.
• Never ever Use the Decoy OS from the same network (public Wi-Fi) as the Hidden OS.
• When you do mount the Outer Volume from the Decoy OS, do not write any Data within the Outer Volume as this could override what looks like Empty Space but is in fact your Hidden OS. You should always mount it as read-only.
• If you want to change the Decoy content of the Outer Volume, you should use a Live OS USB Key that will run Veracrypt.
• Note that you will not use the Hidden OS to perform sensitive activities, this will be done later from a VM within the Hidden OS. The Hidden OS is only meant to protect you from a soft adversary that could gain access to your laptop and compel you to reveal your password.
• Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your hidden OS.

 

[HEISENBERG]

Virtualbox on your Host OS:​

Remember Appendix W: Virtualization.


This step and the following steps should be done from within the Host OS. This can either be your Host OS with simple encryption (Windows/Linux/MacOS) or your Hidden OS with plausible deniability (Windows only).


In this route, we will make extensive use of the free Oracle Virtualbox software. This is a virtualization software in which you can create Virtual Machines that emulate a computer running a specific OS (if you want to use something else like Xen, Qemu, KVM or VMWARE, feel free to do so but this part of the guide covers Virtualbox only for convenience).


So, you should be aware that Virtualbox is not the virtualization software with the best track record in terms of security and some of the reported issues have not be completely fixed to this date and if you are using Linux with a bit more technical skills, you should consider using KVM instead by following the guide available at Whonix here https://www.whonix.org/wiki/KVM [Archive.org] and here https://www.whonix.org/wiki/KVM#Why_Use_KVM_Over_VirtualBox.3F [Archive.org]


Some steps should be taken in all cases:


All your sensitive activities will be done from within a guest Virtual Machine running Windows 10 Pro (not Home this time), Linux or MacOS.


This has a few advantages that will greatly help you remain anonymous:

• It should prevent the guest VM OS (Windows/Linux/MacOS), Apps and any telemetry within the VMs from accessing your hardware directly. Even if your VM is compromised by malware, this malware should not be able to the VM and compromise your actual laptop.
• It will allow us to force all the network traffic from your client VM to run through another Gateway VM that will direct (torify) all the traffic towards the Tor Network. This is a network “kill switch”. Your VM will lose its network connectivity completely and go offline if the other VM loses its connection to the Tor Network.
• The VM itself that only has internet connectivity through a Tor Network Gateway will connect to your cash-paid VPN service through Tor.
• DNS Leaks will be impossible because the VM is on an isolated network that must go through Tor no matter what.

 

[HEISENBERG]

Pick your connectivity method:​

There are 7 possibilities within this route:

• Recommended and preferred:
  
  • Use Tor alone (User > Tor > Internet)
  • Use VPN over Tor (User > Tor > VPN > Internet) in specific cases
• Possible if required by context:
  
  • Use VPN over Tor over VPN (User > VPN > Tor > VPN > Internet)
  • Use Tor over VPN (User > VPN > Tor > Internet)
• Not recommended and risky:
  
  • Use VPN alone (User > VPN > Internet)
  • Use VPN over VPN (User > VPN > VPN > Internet)
• Not recommended and highly risky (but possible)
  
  • No VPN and no Tor (User > Internet)

Tor only:​

This is the preferred and most recommended solution.

With this solution, all your network goes through Tor and it should be sufficient to guarantee your anonymity in most cases.


There is one main drawback tho: Some services block/ban Tor Exit nodes outright and will not allow account creations from those.


To mitigate this, you might have to consider the next option: VPN over Tor but consider some risks associated with it explained in the next section.

VPN/Proxy over Tor:​

This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible from a Tor Exit node. This is because many services will just outright ban, hinder, or block Tor (see https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor [Archive.org]).


As you can see in this illustration, if your cash (preferred)/Monero paid VPN/Proxy is compromised by an adversary (despite their privacy statement and no-logging policies), they will only find an anonymous cash/Monero paid VPN/Proxy account connecting to their services from a Tor Exit node.

If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to your identity.


If an adversary somehow compromises your VM OS (with a malware or exploit for instance), they will be trapped within the internal Network of Whonix and should be unable to reveal the IP of the public Wi-Fi.


This solution however has one main drawback to consider: Interference with Tor Stream Isolation.


Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application. Here is an illustration to show what stream isolation is:

(Illustration from Marcelo Martins, https://stakey.club/en/decred-via-tor-network/ [Archive.org])


VPN/Proxy over Tor falls on the right-side meaning using a VPN/Proxy over Tor forces Tor to use one circuit for all activities instead of multiple circuits for each. This means that using a VPN/Proxy over Tor can somewhat reduce the effectiveness of Tor in some cases and should therefore be used only for some specific cases:

• When your destination service does not allow Tor Exit nodes.
• When you do not mind using a shared Tor circuit for various services. Like for instance for using various authenticated services.

You should however consider not using this method when your aim is just to browse random various unauthenticated websites as you will not benefit from Stream Isolation and this could make correlation attacks easier over time for an adversary between each of your sessions (see Your Anonymized Tor/VPN traffic). If your goal however is to use the same identity at each session on the same authenticated services, the value of Stream isolation is lessened as you can be correlated through other means.


You should also know that Stream Isolation is not necessarily configured by default on Whonix Workstation. It is only pre-configured for some applications (including Tor Browser).


Also note that Stream Isolation does not necessarily change all the nodes in your Tor circuit. It can sometimes only change one or two. In many cases, Stream Isolation (for instance within the Tor Browser) will only change the relay (middle) node and the exit node while keeping the same guard (entry) node.


More information at:

• https://www.whonix.org/wiki/Stream_Isolation [Archive.org]
• https://tails.boum.org/contribute/design/stream_isolation/ [Archive.org]
• https://www.whonix.org/wiki/Tunnels/Introduction#Comparison_Table [Archive.org]

Tor over VPN:​

You might be wondering: Well, what about using Tor over VPN instead of VPN over Tor? Well, I would not necessarily it:

• Disadvantages
  
  • Your VPN provider is just another ISP that will then know your origin IP and will be able to de-anonymize you if required. We do not trust them. I prefer a situation where your VPN provider does not know who you are. It does not add much in terms of anonymity.
  • This would result in you connecting to various services using the IP of a Tor Exit Node which are banned/flagged in many places. It does not help in terms of convenience.
• Advantages:
  
  • The main advantage really is that if you are in a hostile environment where Tor access is impossible/dangerous/suspicious but VPN is okay.
  • This method also does not break Tor Stream isolation.

Note, if you are having issues accessing the Tor Network due to blocking/censorship, you could try using Tor Bridges. See Appendix X: Using Tor bridges in hostile environments.


It is also possible to consider VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) using two cash/Monero paid VPNs instead. This means that you will connect the Host OS to a first VPN from your Public Wi-Fi, then Whonix will connect to Tor and finally your VM will connect to a second VPN over Tor over VPN (see https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor [Archive.org]).


This will of course have a significant performance impact and might be quite slow but I think Tor is necessary somewhere for achieving reasonable anonymity.


Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from the Host OS and follow the route.


Conclusion: Only do this if you think using Tor alone is risky/impossible but VPNs are okay. Or just because you can and so why not.

 

[HEISENBERG]

VPN only:​

This route will not be explained nor recommended.


If you can use VPNs then you should be able to add a Tor layer over it. And if you can use Tor, then you can add an anonymous VPN over Tor to get the preferred solution.


Just using a VPN or even a VPN over VPN makes no sense as those can be traced back to you over time. One of the VPN providers will know your real origin IP (even if it is in a safe public space) and even if you add one over it, the second one will still know you were using that other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer … but it is a persistent centralized added layer and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests.


For more info, please see the following references:

• https://www.whonix.org/wiki/Compari..._VPN_Services#Tor_and_VPN_Services_Comparison [Archive.org]
• https://www.whonix.org/wiki/Why_does_Whonix_use_Tor [Archive.org]
• https://www.researchgate.net/public...communication_VPN_and_Tor_a_comparative_study [Archive.org]
• https://gist.github.com/joepie91/5a9909939e6ce7d09e29#file-vpn-md [Archive.org]
• https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html [Archive.org]

In the context of this guide, Tor is required somewhere to achieve reasonable and safe anonymity and you should use it if you can.

No VPN/Tor:​

If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control is very high.


Just do not, it is not worth it and too risky IMHO. You can be de-anonymized almost instantly by any motivated adversary that could get to your physical location in a matter of minutes.


Do not forget to check back on Adversaries (threats) and Appendix S: Check your network for surveillance/censorship using OONI.


If you have absolutely no other option and still want to do something, see Appendix P: Accessing the internet as safely as possible when Tor/VPN is not an option (at your own risk) and consider The Tails route instead.

Conclusion:​

Unfortunately, using Tor alone will raise the suspicion of many destinations’ platforms. You will face many hurdles (captchas, errors, difficulties signing-up) if you only use Tor. In addition, using Tor where you are could put you in trouble just for that. But Tor remains the best solution for anonymity and must be somewhere for anonymity.

• If your intent is to create persistent shared and authenticated identities on various services where access from Tor is hard, I recommend the VPN over Tor option (or VPN over Tor over VPN if needed). It might be a little less secure against correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just using Tor. It is an “acceptable” trade-off IMHP if you are careful enough with your identity.
• If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly services; or if you do not want to accept that trade-off in the previous option. Then I recommend using the Tor Only route to keep the full benefits of Stream Isolation (or Tor over VPN if you need to).
• If cost is an issue, I recommend the Tor Only option if possible.
• If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fis safely. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option

For more information, you can also see the discussions here that could help decide yourself:

• Tor Project: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN [Archive.org]
• Tails Documentation:
  
  • https://gitlab.tails.boum.org/tails/blueprints/-/wikis/vpn_support/ [Archive.org]
  • https://tails.boum.org/support/faq/index.en.html#index20h2 [Archive.org]
• Whonix Documentation (in this order):
  
  • https://www.whonix.org/wiki/Tunnels/Introduction [Archive.org]
  • https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN [Archive.org]
  • https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor [Archive.org]
• Some papers on the matter:
  
  • https://www.researchgate.net/public...communication_VPN_and_Tor_a_comparative_study [Archive.org]

 

[HEISENBERG]

Get an anonymous VPN/Proxy:​

Skip this step if you want to use Tor only.


See Appendix O: Get an anonymous VPN/Proxy

Whonix:​

Skip this step if you cannot use Tor.


This route will use Virtualization andWhonix309 as part of the anonymization process. Whonix is a Linux distribution composed of two Virtual Machines:

• The Whonix Workstation (this is a VM where you can conduct sensitive activities)
• The Whonix Gateway (this VM will establish a connection to the Tor network and route all the network traffic from the Workstation through the Tor network).

This guide will therefore propose 2 flavors of this route:

• The Whonix only route where all traffic is routed through the Tor Network (Tor Only or Tor over VPN).

A Whonix hybrid route where all traffic is routed through a cash (preferred)/Monero paid VPN over the Tor Network (VPN over Tor or VPN over Tor over VPN).

You will be able to decide which flavor to use based on my recommendations. I recommend the second one as explained before.


Whonix is well maintained and has extensive and incredibly detailed documentation.

A note on Virtualbox Snapshots:​

Later, you will create and run several Virtual Machines within Virtualbox for your sensitive activities. Virtualbox provides a feature called “Snapshots” that allow for saving the state of a VM at any point in time. If for any reason later you want to go back to that state, you can restore that snapshot at any moment.


I strongly recommend that you do make use of this feature by creating a snapshot after the initial installation / update of each VM. This snapshot should be done before their use for any sensitive/anonymous activity.


This will allow you to turn your VMs into a kind of a disposable “Live Operating Systems” (like Tails discussed earlier). Meaning that you will be able to erase all the traces of your activities within a VM by restoring a Snapshot to an earlier state. Of course, this will not be “as good” as Tails (where everything is stored in memory) as there might be traces of this activity left on your hard disk. Forensics studies have shown the ability to recover data from a reverted VM. Fortunately, there will be ways to remove those traces after deletion or reverting to a previous snapshot. Such techniques will be discussed in the Some additional measures against forensics section of this guide.

Download Virtualbox and Whonix utilities:​

You should download a few things within the host OS.

• The latest version of the Virtualbox installer according to your Host OS https://www.virtualbox.org/wiki/Downloads [Archive.org]
• (Skip this if you cannot use Tor natively of through a VPN) The latest Whonix OVA file from https://www.whonix.org/wiki/Download [Archive.org] according to your preference (Linux/Windows, with a Desktop interface XFCE for simplicity or only with the text-client for advanced users)

This will conclude the preparations and you should now be ready to start setting up the final environment that will protect your anonymity online.

Virtualbox Hardening recommendations:​

For ideal security, you should follow the recommendations provided here for each Virtualbox Virtual Machine https://www.whonix.org/wiki/Virtualization_Platform_Security#VirtualBox_Hardening [Archive.org]:

• Disable Audio.
• Do not enable Shared Folders.
• Do not enable 2D acceleration. This one is done running the following command VBoxManage modifyvm "vm-id" --accelerate2dvideo on|off
• Do not enable 3D acceleration.
• Do not enable the Serial Port.
• Remove the Floppy drive.
• Remove the CD/DVD drive.
• Do not enable the Remote Display server.
• Enable PAE/NX (NX is a security feature).
• Disable Advanced Configuration and Power Interface (ACPI). This one is done running the following command VBoxManage modifyvm "vm-id" --acpi on|off
• Do not attach USB devices.
• Disable the USB controller which is enabled by default. Set the Pointing Device to “PS/2 Mouse” or changes will revert.

Finally, also follow this recommendation to desync the clock you are your VM compared to your host OS https://www.whonix.org/wiki/Network...oof_the_Initial_Virtual_Hardware_Clock_Offset [Archive.org]


This offset should be within a 60000 milliseconds range and should be different for each VM and here are some examples (which can be later applied to any VM):

• VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset -35017
• VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset +27931
• VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset -35017
• VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset +27931

Also consider applying these mitigations from VirtualBox to mitigate Spectre/Meltdown vulnerabilities by running this command from the VirtualBox Program Directory. All of these are described here: https://www.whonix.org/wiki/Spectre_Meltdown [Archive.org] (be aware these can impact severely the performance of your VMs but should be done for best security).


Finally consider the security advice from Virtualbox themselves here https://www.virtualbox.org/manual/ch13.html [Archive.org]

 

[HEISENBERG]

Tor over VPN:​

Skip this step if you do not intend to use Tor over VPN and only intend to use Tor or cannot.


If you intend to use Tor over VPN for any reason. You first must configure a VPN service on your host OS.


Remember that in this case, I recommend having two VPN accounts. Both paid with cash/Monero (see Appendix O: Get an anonymous VPN/Proxy). One will be used in the Host OS for the first VPN connection. The other could be used in the VM to achieve VPN over Tor over VPN (User > VPN > Tor > VPN).


If you intend to only use Tor over VPN, you only need one VPN account.


See Appendix R: Installing a VPN on your VM or Host OS for instructions.

 

[HEISENBERG]

Whonix Virtual Machines:​

Skip this step if you cannot use Tor.

• Start Virtualbox on your Host OS.
• Import Whonix file Into Virtualbox following the instructions on https://www.whonix.org/wiki/VirtualBox/XFCE [Archive.org]
• Start the Whonix VMs

Remember at this stage that if you are having issues connecting to Tor due to censorship or blocking, you should consider connecting using Bridges as explained in this tutorial https://www.whonix.org/wiki/Bridges [Archive.org].

• Update the Whonix VMs by following the instructions on https://www.whonix.org/wiki/Operating_System_Software_and_Updates#Updates [Archive.org]
• Shutdown the Whonix VMs
• Take a Snapshot of the updated Whonix VMs within Virtualbox (select a VM and click the Take Snapshot button). More on that later.
• Go to next step

Important Note: You should also read these very good recommendations over there https://www.whonix.org/wiki/DoNot [Archive.org] as most of those principles will also apply to this guide. You should also read their general documentation here https://www.whonix.org/wiki/Documentation [Archive.org] which will also provide tons of advice like this guide.