Week 4: Encrypted Filesystems & Secure Containers

🎯 Goal Learn how to protect local data at rest using encrypted filesystems and containers. Explore tools like LUKS, cryptsetup, gocryptfs, and veracrypt, and practice encrypting backups using tar and rsync over SSH. 🌱 New to this? If the command line feels like a lot, Privacy 101 covers encrypted storage with a graphical, beginner-friendly walkthrough (VeraCrypt, Cryptomator) first: Privacy 101 Week 9: Encrypted Storage β†’ 1. Why Encrypt Data at Rest? Prevent access if your device is lost, stolen, or seized Protect sensitive logs, identity files, password stores Essential for laptops, USB drives, and backups 2. Full-Disk and Partition Encryption with LUKS What Is LUKS? Standard for Linux disk encryption Uses cryptsetup to manage encrypted partitions Key benefits: strong encryption, passphrase support, keyslots WARNING The following examples will erase data. Only do this on test devices or virtual machines. ...

Week 5: SSH Deep Dive & Secure Shell

🎯 Goal Master SSH for secure remote access, authentication hardening, port forwarding, and tunneling. Learn to configure SSH servers securely, use key-based authentication, and leverage SSH tunnels for accessing internal networks. 1. SSH Fundamentals & Key-Based Authentication Why SSH Keys Over Passwords? Passwords are weak: Vulnerable to brute force attacks Can be keylogged or phished Easily forgotten or reused SSH keys are strong: 4096-bit RSA or ed25519 provide cryptographic security Private key never leaves your machine Cannot be brute forced in reasonable time Generate an SSH Key Pair Recommended: Ed25519 (modern, fast, secure) ...

Week 6: Private Messaging, Encrypted Email, and Metadata Hygiene

🎯 Goal Learn how to communicate securely using end-to-end encrypted messaging, GPG-encrypted email, and metadata minimization. Explore Signal, Matrix, OTR, and email tools. Understand operational privacy trade-offs. 🌱 New to this? If the command line feels like a lot, Privacy 101 walks through secure messaging with Signal in a graphical, beginner-friendly way first: Privacy 101 Week 6: Secure Messaging β†’ 1. Secure Messaging Protocols Overview Protocol E2EE Decentralized Metadata Safe CLI Available Signal βœ… ❌ (centralized) ❌ (requires phone number) βœ… (via signal-cli) Matrix (Olm) βœ… βœ… ⚠️ (servers can log) βœ… (nheko, gomuks, etc) XMPP + OTR βœ… βœ… βœ… (self-hosted possible) βœ… (profanity, mcabber) Tox βœ… βœ… (P2P) βœ… βœ… (toxic) 2. Signal CLI Setup Install signal-cli For Debian-based distros: ...

Week 7 Β· Part 1 of 2: Introduction to Tor & Onion Routing

Goal Understand how Tor enables anonymous communication, install and configure Tor Browser securely, and learn the essential operational security practices for anonymous browsing. Prerequisites: Weeks 1-6 (encryption, communications, networking) This is Part 1 of 2 - Covers Tor fundamentals, installation, and basic OpSec. Note on Responsible Use: Tor is a powerful privacy tool used by journalists, whistleblowers, activists, and ordinary people worldwide to protect their communications from surveillance. This lesson teaches Tor for legitimate privacy protection. Know your local laws and use these skills ethically. ...

Week 7 Β· Part 2 of 2: Advanced Tor β€” VPNs, Bridges, Relays & Limitations

Goal Master advanced Tor techniques including VPN combinations, bypassing censorship with bridges, contributing to the network by running relays, integrating Tor with SSH, and understanding when NOT to use Tor. Prerequisites: Week 7a (Tor Fundamentals) This is Part 2 of 2 - Covers advanced configuration and limitations. 🌱 New to this? For a gentler take on VPNsβ€”what they do, what they don’t, and how to pick oneβ€”Privacy 101 covers it without the command line: Privacy 101 Week 7: VPNs Done Right β†’ ...

Week 8 Β· Part 1 of 2: Compartmentalization Fundamentals & Virtual Machines

Goal Understand why identity compartmentalization is critical for operational security and learn to create isolated environments using virtual machines. Prerequisites: Weeks 1-7 (encryption, Tor, networking) This is Part 1 of 2 - Covers compartmentalization concepts and VM basics. 🌱 New to this? Privacy 101 introduces the operational-security mindsetβ€”habits, compartmentalization, and the privacy mindsetβ€”in a beginner-friendly way first: Privacy 101 Week 11: Operational Security β†’ 1. Why Compartmentalization Matters The Problem: Identity Bleeding Without compartmentalization: ...

Week 8 Β· Part 2 of 2: Whonix, Tails & Practical Compartmentalization

Goal Master specialized security operating systems (Whonix and Tails) for maximum anonymity and build practical compartmentalization workflows for different use cases. Prerequisites: Week 8a (VM Fundamentals) This is Part 2 of 2 - Covers Whonix, Tails, and practical workflows. 1. Whonix: Maximum Anonymity Through Isolation What is Whonix? Two-VM architecture for Tor isolation: β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Whonix-Workstation β”‚ β”‚ (Where you actually work) β”‚ β”‚ - Browser, apps, files β”‚ β”‚ - Cannot directly access internet β”‚ β”‚ - All traffic β†’ Whonix-Gateway β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ Internal Network Only ↓ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Whonix-Gateway β”‚ β”‚ (Tor relay) β”‚ β”‚ - Routes all traffic through Tor β”‚ β”‚ - No applications run here β”‚ β”‚ - Workstation cannot bypass Tor β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ Why this matters: ...

Week 9 Β· Part 1 of 3: Physical Security Fundamentals & Airgap Architecture

Goal Understand why physical security is critical for complete operational security and learn the principles of airgapped system architecture. Prerequisites: Weeks 1-8 (encryption, GPG, compartmentalization) This is Part 1 of 3 - Covers physical security fundamentals and airgap concepts. 1. Why Physical Security Matters The Digital-Physical Security Gap Most security focuses on digital threats: Malware, phishing, network attacks Encrypted communications Strong passwords and 2FA But physical security failures defeat all of this: ...

Week 9 Β· Part 2 of 3: Building Airgapped Systems & Data Transfer

Goal Build a functional airgapped system and learn secure methods for transferring data to and from it without network connectivity. Prerequisites: Week 9a (Physical Security Fundamentals) This is Part 2 of 3 - Covers system setup and data transfer workflows. 1. Building Your Airgapped System Operating System Setup Recommended: Minimal Debian or Arch # Create bootable USB installer (on networked machine) # WARNING: verify /dev/sdX with `lsblk` first β€” the wrong device DESTROYS its data. sudo dd if=debian-netinst.iso of=/dev/sdX bs=4M status=progress # Boot target airgap machine from USB # During installation: # - Do NOT configure network (skip this step) # - Enable full-disk encryption (LUKS) # - Set strong passphrase (20+ characters) # - Minimal package selection (no desktop if CLI-only) Post-Install Hardening # 1. Verify no network interfaces active ip link show # Should show only 'lo' (loopback) - no eth0, wlan0, etc. # 2. Disable all network services permanently sudo systemctl disable NetworkManager sudo systemctl mask NetworkManager sudo systemctl disable systemd-networkd sudo systemctl mask systemd-networkd sudo systemctl disable bluetooth sudo systemctl mask bluetooth # 3. Remove network packages (optional, extreme) sudo apt purge network-manager wpasupplicant bluetooth bluez # 4. Verify networking is truly disabled sudo systemctl list-units --type=service --state=running | grep -i net # Should return nothing # 5. Set BIOS password to prevent boot order changes # (Enter BIOS setup during boot, varies by manufacturer) 2. Secure Data Transfer Methods Option 1: QR Code Transfer (Small Text Data) When to use: GPG public keys, Bitcoin addresses, short messages, signatures ...

Week 9 Β· Part 3 of 3: USB Threats, Field Kit & Security Scenarios

Goal Master USB threat mitigation with usbguard, assemble a cypherpunk field kit for operational security, and apply physical security principles to real-world scenarios. Prerequisites: Week 9b (Building Airgapped Systems) This is Part 3 of 3 - Covers USB defense, field operations, and decision-making. 1. USB Threat Mitigation Understanding USB Attacks BadUSB (Firmware Reprogramming): Attacker modifies USB stick firmware β†’ USB identifies as keyboard (HID device) β†’ Types malicious commands at lightning speed β†’ Downloads and executes malware β†’ All bypasses antivirus (it's "legitimate" keyboard input) Rubber Ducky / Bash Bunny: ...