Goal

Integrate everything you’ve learned into a complete, working secure environment.

This isn’t a new lesson with new tools—it’s where you apply Weeks 1-11 to build something real. Choose a project path aligned with your goals.

Prerequisites: Completion of Weeks 1-11

This is Part 1 of 3 - Covers project purpose and path selection.

1. Why a Capstone Project?

The Gap Between Learning and Doing

Learning tools ≠ Building systems

You’ve learned:

  • GPG encryption and key management (Week 3)
  • Secure communications protocols (Week 6)
  • Tor and anonymity networks (Week 7)
  • Physical security and airgaps (Week 9)
  • System hardening and sandboxing (Week 11)

But: You haven’t yet combined them into a cohesive security posture for a real scenario.

What Makes a Good Capstone

A good capstone project:

  1. Addresses a real threat model (not hypothetical)
  2. Integrates 5+ skills from different weeks
  3. Has measurable deliverables (not just “learned about X”)
  4. Reflects real trade-offs (security vs usability vs cost)
  5. Documents decisions (why you chose X over Y)

Example of integration:

Scenario: Secure activist communication system

Combines:
- Week 3: GPG keys for email encryption
- Week 6: XMPP+OTR for real-time chat
- Week 7: Tor hidden service for website
- Week 9: Airgap device for master keys
- Week 11: Hardened server with AppArmor profiles

2. Choose Your Project Path

Path A: Journalist Source Protection System

Scenario: You’re a journalist who receives sensitive leaks from whistleblowers. You need a system that protects source identities, keeps documents encrypted, and allows anonymous communication.

Threat Model:

  • Adversary: State-level surveillance, forensic investigation
  • Assets: Source identities, leaked documents, communication metadata
  • Attacks: Device seizure, network surveillance, coercion

Required Skills (Weeks):

  • Week 3: GPG encryption for documents
  • Week 4: Encrypted storage (gocryptfs or Tomb)
  • Week 6: Secure messaging (XMPP+OTR or Signal)
  • Week 7: Tor for anonymous uploads (OnionShare)
  • Week 9: Airgap device for storing source contacts
  • Week 11: Hardened laptop with sandboxed PDF viewer

Deliverables:

  1. Encrypted document repository with GPG access control
  2. Tor-based anonymous drop system (OnionShare or custom)
  3. Airgap device with source contact list (no network ever)
  4. Hardened analysis laptop (Firejail for untrusted PDFs)
  5. Communication protocol documentation for sources
  6. Threat model and incident response plan

Estimated time: 10-12 hours

Path B: Privacy-Focused Personal Infrastructure

Scenario: You want maximum personal privacy for everyday computing—secure email, browsing, file storage, and communications—without sacrificing too much usability.

Threat Model:

  • Adversary: Mass surveillance, targeted ads, data brokers
  • Assets: Personal communications, browsing history, files
  • Attacks: Email interception, browser fingerprinting, cloud data breaches

Required Skills (Weeks):

  • Week 3: GPG for email encryption
  • Week 4: Encrypted filesystem (gocryptfs)
  • Week 5: SSH tunneling and VPN
  • Week 6: Secure messaging (Signal + Matrix)
  • Week 7: Tor Browser for sensitive browsing
  • Week 11: Hardened system (Lynis audit, AppArmor, kernel hardening)

Deliverables:

  1. Fully encrypted home directory (gocryptfs or LUKS)
  2. GPG-enabled email client (Thunderbird or Mutt)
  3. Hardened Firefox with AppArmor profile
  4. Private messaging setup (Signal + Matrix)
  5. Automated backup system (encrypted, off-site)
  6. Documentation of privacy threat model and mitigations

Estimated time: 8-10 hours

Path C: Secure Development Environment

Scenario: You’re a developer working on sensitive projects. You need to isolate untrusted dependencies (npm, pip), protect SSH keys and API tokens, and sandbox build processes.

Threat Model:

  • Adversary: Supply chain attacks, malicious packages, compromised dependencies
  • Assets: SSH keys, API tokens, source code, deployment credentials
  • Attacks: Malicious npm/pip packages, typosquatting, backdoored dependencies

Required Skills (Weeks):

  • Week 3: GPG signing for commits
  • Week 5: SSH key management and forwarding
  • Week 8: Compartmentalization with VMs or containers
  • Week 11: Firejail sandboxing for builds, AppArmor for dev tools

Deliverables:

  1. Sandboxed build environment (Firejail or Docker)
  2. SSH key protected with GPG (or hardware token)
  3. Git signing enforced for all commits
  4. Separate VM for untrusted dependency testing
  5. AppArmor profiles for IDEs and build tools
  6. Development security checklist and workflow docs

Estimated time: 8-10 hours

Path D: Airgap Cryptocurrency Wallet System

Scenario: You hold significant cryptocurrency and need a cold storage solution that’s both secure (offline signing) and recoverable (distributed backup).

Threat Model:

  • Adversary: Remote attackers, malware, physical theft
  • Assets: Private keys (controls funds), recovery seeds
  • Attacks: Malware on hot wallet, clipboard hijacking, phishing

Required Skills (Weeks):

  • Week 3: GPG for encrypting recovery seeds
  • Week 4: Encrypted USB storage for wallet backups
  • Week 9: Airgap device for offline signing
  • Week 11: Hardened hot wallet system

Deliverables:

  1. Airgap signing device (never touches network)
  2. Encrypted recovery seed backup (GPG + Tomb or Shamir)
  3. Hardened hot wallet (Firejail, no unnecessary software)
  4. Transaction verification workflow (QR code transfer)
  5. Recovery testing documentation
  6. Estate planning for key recovery (if applicable)

Estimated time: 10-12 hours

Path E: Self-Hosted Privacy Infrastructure

Scenario: You want to escape “big tech” surveillance by self-hosting services—email, file sync, calendar, messaging—on your own server or VPS.

Threat Model:

  • Adversary: Cloud service providers, mass surveillance
  • Assets: Personal data, communications, metadata
  • Attacks: Server compromise, network interception, subpoenas to third-party services

Required Skills (Weeks):

  • Week 5: SSH hardening and firewall (UFW)
  • Week 6: Self-hosted messaging (XMPP or Matrix)
  • Week 7: Tor hidden service for private access
  • Week 11: Server hardening (Lynis, AppArmor, kernel hardening)

Deliverables:

  1. Hardened VPS with SSH key-only access
  2. Self-hosted Matrix server (or XMPP)
  3. Tor hidden service for remote access
  4. Encrypted backups to separate location
  5. AppArmor profiles for all services
  6. Monitoring and maintenance playbook

Estimated time: 12-15 hours (most complex path)

Up Next

Week 12b covers project planning, integration patterns, and testing your system.

Key Takeaways

  • Capstone integrates 5+ weeks of skills into one working system
  • Choose a path that matches your real threat model and use case
  • Trade-offs are expected - document why you chose X over Y
  • Real scenarios beat hypothetical ones - build what you’ll actually use
  • Time investment: 8-15 hours depending on complexity