Intermediate

🎯 Goal Learn how to protect local data at rest using encrypted filesystems and containers. Explore tools like LUKS, cryptsetup, gocryptfs, and veracrypt, and practice encrypting backups using tar and rsync over SSH. 🌱 New to this? If the command line feels like a lot, Privacy 101 covers encrypted storage with a graphical, beginner-friendly walkthrough (VeraCrypt, Cryptomator) first: Privacy 101 Week 9: Encrypted Storage → 1. Why Encrypt Data at Rest? Prevent access if your device is lost, stolen, or seized Protect sensitive logs, identity files, password stores Essential for laptops, USB drives, and backups 2. Full-Disk and Partition Encryption with LUKS What Is LUKS? Standard for Linux disk encryption Uses cryptsetup to manage encrypted partitions Key benefits: strong encryption, passphrase support, keyslots WARNING The following examples will erase data. Only do this on test devices or virtual machines. ...

🎯 Goal Learn how to communicate securely using end-to-end encrypted messaging, GPG-encrypted email, and metadata minimization. Explore Signal, Matrix, OTR, and email tools. Understand operational privacy trade-offs. 🌱 New to this? If the command line feels like a lot, Privacy 101 walks through secure messaging with Signal in a graphical, beginner-friendly way first: Privacy 101 Week 6: Secure Messaging → 1. Secure Messaging Protocols Overview Protocol E2EE Decentralized Metadata Safe CLI Available Signal ✅ ❌ (centralized) ❌ (requires phone number) ✅ (via signal-cli) Matrix (Olm) ✅ ✅ ⚠️ (servers can log) ✅ (nheko, gomuks, etc) XMPP + OTR ✅ ✅ ✅ (self-hosted possible) ✅ (profanity, mcabber) Tox ✅ ✅ (P2P) ✅ ✅ (toxic) 2. Signal CLI Setup Install signal-cli For Debian-based distros: ...

Goal Understand why physical security is critical for complete operational security and learn the principles of airgapped system architecture. Prerequisites: Weeks 1-8 (encryption, GPG, compartmentalization) This is Part 1 of 3 - Covers physical security fundamentals and airgap concepts. 1. Why Physical Security Matters The Digital-Physical Security Gap Most security focuses on digital threats: Malware, phishing, network attacks Encrypted communications Strong passwords and 2FA But physical security failures defeat all of this: ...

Goal Build a functional airgapped system and learn secure methods for transferring data to and from it without network connectivity. Prerequisites: Week 9a (Physical Security Fundamentals) This is Part 2 of 3 - Covers system setup and data transfer workflows. 1. Building Your Airgapped System Operating System Setup Recommended: Minimal Debian or Arch # Create bootable USB installer (on networked machine) dd if=debian-netinst.iso of=/dev/sdX bs=4M status=progress # Boot target airgap machine from USB # During installation: # - Do NOT configure network (skip this step) # - Enable full-disk encryption (LUKS) # - Set strong passphrase (20+ characters) # - Minimal package selection (no desktop if CLI-only) Post-Install Hardening # 1. Verify no network interfaces active ip link show # Should show only 'lo' (loopback) - no eth0, wlan0, etc. # 2. Disable all network services permanently sudo systemctl disable NetworkManager sudo systemctl mask NetworkManager sudo systemctl disable systemd-networkd sudo systemctl mask systemd-networkd sudo systemctl disable bluetooth sudo systemctl mask bluetooth # 3. Remove network packages (optional, extreme) sudo apt purge network-manager wpasupplicant bluetooth bluez # 4. Verify networking is truly disabled sudo systemctl list-units --type=service --state=running | grep -i net # Should return nothing # 5. Set BIOS password to prevent boot order changes # (Enter BIOS setup during boot, varies by manufacturer) 2. Secure Data Transfer Methods Option 1: QR Code Transfer (Small Text Data) When to use: GPG public keys, Bitcoin addresses, short messages, signatures ...

Goal Master USB threat mitigation with usbguard, assemble a cypherpunk field kit for operational security, and apply physical security principles to real-world scenarios. Prerequisites: Week 9b (Building Airgapped Systems) This is Part 3 of 3 - Covers USB defense, field operations, and decision-making. 1. USB Threat Mitigation Understanding USB Attacks BadUSB (Firmware Reprogramming): Attacker modifies USB stick firmware → USB identifies as keyboard (HID device) → Types malicious commands at lightning speed → Downloads and executes malware → All bypasses antivirus (it's "legitimate" keyboard input) Rubber Ducky / Bash Bunny: ...