π― Goal
Learn how to communicate securely using end-to-end encrypted messaging, GPG-encrypted email, and metadata minimization. Explore Signal, Matrix, OTR, and email tools. Understand operational privacy trade-offs.
π± New to this? If the command line feels like a lot, Privacy 101 walks through secure messaging with Signal in a graphical, beginner-friendly way first: Privacy 101 Week 6: Secure Messaging β
1. Secure Messaging Protocols Overview
| Protocol | E2EE | Decentralized | Metadata Safe | CLI Available |
|---|---|---|---|---|
| Signal | β | β (centralized) | β (requires phone number) | β (via signal-cli) |
| Matrix (Olm) | β | β | β οΈ (servers can log) | β
(nheko, gomuks, etc) |
| XMPP + OTR | β | β | β (self-hosted possible) | β
(profanity, mcabber) |
| Tox | β | β (P2P) | β | β
(toxic) |
2. Signal CLI Setup
Install signal-cli
For Debian-based distros:
sudo apt install signal-cli
Or download from: https://github.com/AsamK/signal-cli
π± Register Your Number (Use Burner SIM or VoIP)
signal-cli -u +1234567890 register
Link Signal Desktop or Use CLI Chat
signal-cli -u +1234567890 send -m "Cypherpunk test message" +10987654321
Receive Messages
signal-cli -u +1234567890 receive
π° 3. Matrix + Element (Or CLI Clients)
β Choose a Homeserver
- Use a privacy-respecting instance or self-host (e.g.
matrix.org,tchncs.de,envs.net) - Register with Element or CLI tools
CLI Matrix Clients
gomuks: terminal-based, fastweechat + matrix plugin: customizable IRC-style UInheko: GUI, encrypted room support
3b. XMPP + OTR Setup (Self-Hosted Option)
Why XMPP + OTR?
- Decentralized: Run your own server or use trusted providers
- OTR (Off-the-Record): Perfect forward secrecy, deniability
- Lightweight: Works over Tor, low bandwidth
- Privacy: No phone number required, pseudonymous
Install Profanity (Terminal XMPP Client)
sudo apt install profanity
Or build from source: https://profanity-im.github.io
Create XMPP Account
Option 1: Use existing provider
conversations.im(privacy-focused)disroot.org(activist-friendly)404.city(Tor-friendly)
Option 2: Self-host with Prosody
sudo apt install prosody
Configure Profanity with OTR
profanity
Inside Profanity:
/account add myaccount [email protected]
/connect myaccount
/otr gen
Start OTR Session
/msg [email protected]
/otr start
Verify fingerprints:
/otr question "What is our secret word?" answer
Why OTR Over OMEMO?
| Feature | OTR | OMEMO |
|---|---|---|
| Perfect Forward Secrecy | β | β |
| Deniability | β | β |
| Multi-device | β | β |
| Group chats | β | β |
Use OTR for: 1-on-1 conversations, plausible deniability, lightweight Use OMEMO for: Multi-device, group chats, modern UX (Conversations app)
4. Encrypted Email with GPG + CLI
π¨ Install mutt or neomutt
sudo apt install mutt
Configure Mail Account in .muttrc
Basic config:
set from = "[email protected]"
set realname = "Anon"
set smtp_url = "smtp://[email protected]@smtp.mailserver.com:587/"
set smtp_pass = "your_password"
Enable GPG in Mutt
set crypt_use_gpgme = yes
set crypt_autosign = yes
set crypt_replyencrypt = yes
set crypt_replysign = yes
Encrypt and Send an Email
Compose with mutt, then use p (PGP encrypt) and s (send).
Make sure the recipientβs public key is imported:
gpg --import keys/their_pubkey.asc
4b. Email Aliases & Identity Compartmentalization
Why Email Aliases?
- Prevent tracking across services
- Isolate identities (work, personal, activist, shopping)
- Easy to burn/delete compromised addresses
- Reveal who leaked or sold your data
SimpleLogin (Open Source, Self-Hostable)
Service: https://simplelogin.io
Features:
- Unlimited aliases (premium)
- Reply from alias
- PGP encryption support
- Open source, can self-host
Setup:
- Create SimpleLogin account
- Generate alias:
[email protected] - Forward to your real email
- Reply from alias (preserves compartmentalization)
AnonAddy (Alternative)
Service: https://anonaddy.com
Features:
- Similar to SimpleLogin
- Can use custom domains
- Encrypted forwarding
- Self-hostable (based on Laravel)
Burner Email for Signups
Guerrilla Mail: https://www.guerrillamail.com
- Temporary, disposable
- No signup required
- Good for one-time verifications
10 Minute Mail: https://10minutemail.com
- Self-destructs after 10 minutes
- Can extend if needed
CLI Email Alias Management
With SimpleLogin API:
curl -H "Authentication: YOUR_API_KEY" \
https://app.simplelogin.io/api/alias/random/new
Integrate into your password manager workflow!
π‘ 5. Metadata Hygiene
π§Ή Remove File Metadata
Install mat2:
sudo apt install mat2
Clean a file:
mat2 secret.pdf
Supports: PDFs, images, Office files, audio, video
Check for EXIF Data in Images
exiftool image.jpg
Strip metadata:
exiftool -all= image.jpg
5b. When to Use Which Messaging Protocol
π§ Protocol Selection Flowchart
START HERE:
Do you need to contact non-technical people?
- YES β Signal (easiest onboarding, strong E2EE)
- NO β Continue
Is anonymity critical (no phone number)?
- YES β XMPP + OTR or Matrix (pseudonymous)
- NO β Continue
Do you need group chats and multi-device?
- YES β Matrix (federated, modern features)
- NO β XMPP + OTR (1-on-1, lightweight)
Do you need it to work over Tor with high latency?
- YES β XMPP + OTR (low bandwidth, works on slow connections)
- NO β Signal or Matrix work fine
Do you need true P2P (no servers)?
- YES β Tox (completely decentralized, NAT traversal)
- NO β Any of the above
π― Real-World Scenarios
Scenario 1: Journalist Contacting Source
- Use: Signal (if source is non-technical) or XMPP + OTR (if source is technical)
- Why: E2EE mandatory, disappearing messages, screenshot protection
- Setup: Burner phone number + VoIP for Signal, or pseudonymous XMPP account
Scenario 2: Activist Coordination Group
- Use: Matrix (Element) on private homeserver
- Why: Group chat, federation, self-hosting = control
- Setup: Rent VPS with cryptocurrency, deploy Synapse server, invite-only rooms
Scenario 3: Privacy Researcher Collaboration
- Use: XMPP + OTR (1-on-1) or Matrix (group)
- Why: Metadata-resistant, Tor-friendly, technical users
- Setup: Use Tor hidden service XMPP server, verify OTR fingerprints via separate channel
Scenario 4: Family Group Chat
- Use: Signal
- Why: Easy for non-technical users, still E2EE
- Setup: Standard Signal registration, educate family on security pins
β οΈ What NOT To Use
β WhatsApp - Owned by Meta, metadata collection, closed source β Telegram - Not E2EE by default, secret chats are but group chats aren’t β Discord - No E2EE, server logs everything, owned by surveillance-friendly company β Slack - Enterprise owns all data, no E2EE, compliance logging β SMS - Plaintext, easily intercepted, SS7 attacks
π Metadata Comparison
| Protocol | Phone Number | IP Address | Contact Graph | Message Times |
|---|---|---|---|---|
| Signal | Required | Hidden (via SGX) | Visible to Signal | Visible to Signal |
| Matrix | Optional | Visible to homeserver | Visible to homeserver | Visible to homeserver |
| XMPP + OTR | Optional | Visible to server | Visible to server | Visible to server |
| Tox | Not required | P2P (Tor optional) | P2P only | P2P only |
Mitigation: Use Tor for all protocols, use burner identities, rotate accounts
π³ 6. Plausible Deniability & Hidden Volumes
Key Concepts
- Deniability: Can you prove you do not have the key to something?
- Hidden volumes: Inside LUKS, VeraCrypt, or with tools like
Tomb - Operational strategies: Use fake decoy accounts, nested keys, delay unlocks
Tools to Explore
veracrypthidden volumestomb+gpghidden keys- Live OS (e.g.
Tails,Whonix) with RAM-only operation
7. Journal & Git Commit
Reflect on Week 6
echo "Week 6: Practiced private messaging with Signal, Matrix, and XMPP+OTR. Set up email aliases for compartmentalization. Learned protocol selection based on threat models. Configured encrypted email workflows." >> notes/week6_journal.md
Git Commit
git add .
git commit -S -m "Week 6 - Secure messaging, XMPP+OTR, email aliases, protocol selection"
β Week 6 Checklist
- Sent and received messages with Signal CLI
- Registered and chatted on Matrix via CLI
- NEW: Set up XMPP + OTR with Profanity client
- NEW: Created email aliases with SimpleLogin or AnonAddy
- NEW: Learned protocol selection based on threat model
- Configured
muttfor encrypted email with GPG - Practiced metadata removal with
mat2andexiftool - Explored hidden volumes and plausible deniability concepts
- Journaled and made signed Git commit
π Up Next: Week 7 Preview
- Tor architecture: How anonymity networks actually work
- Tor Browser setup and operational security
- Running Tor relays and bridges
- Onion services: Hosting .onion sites
- Tor pitfalls and when NOT to use Tor
Notes
- Assume any central service (Signal, Matrix, etc) logs metadata
- Email aliases prevent cross-service tracking - use unique alias per service
- Protocol choice depends on threat model - convenience vs anonymity vs features
- XMPP + OTR provides best deniability, Signal provides best UX, Matrix provides best flexibility
- Use burner SIMs, disposable email, and random usernames
- Strip metadata before sharing any files or screenshots
- Hidden volumes and RAM-only OSes can protect against coercion
- Test your messaging setup over Tor to ensure it works under network restrictions