Back in 2017, I shared a detailed post about the configuration of my Linux laptops on my blog (you can find it here). Since then, not only has my tech setup evolved, but my understanding and awareness of security and privacy issues have significantly deepened. This journey has led me to adopt new tools and practices to enhance my digital security and protect my privacy. In this updated post, I will walk you through my current hardware, the operating systems I use, the applications that are essential to my workflow, and the strategies I employ to maintain a robust level of privacy and security.

Laptops

Hardware

I currently use three laptops, each serving different purposes but unified by a common software environment:

  1. Medion E4251: This budget-friendly device is my go-to for everyday tasks and experimentation.
  2. Samsung Chromebook 4: Originally a simple Chromebook, I’ve replaced its firmware with Coreboot to increase its flexibility and performance.
  3. MacBook Air 2015: Despite its age, this MacBook remains a reliable workhorse, especially with the right software tweaks.

Operating System and Configuration

All my laptops run Debian 12 with the i3 window manager. i3’s lightweight and highly customizable nature makes it perfect for my needs. To keep my configurations consistent across all devices, I use a private GitHub repository for synchronization.

Here are some key applications I use on my laptops:

  • Neomutt: An email client for the terminal that supports multiple accounts, PGP/GPG encryption, and threading. It’s highly customizable, making it perfect for handling complex email workflows efficiently.
  • calcurse and calcurse-caldav: I use calcurse, a text-based calendar and scheduling application, along with calcurse-caldav for CalDAV support. This allows me to manage my schedule and appointments directly from the terminal, seamlessly integrating with my workflow and ensuring privacy by avoiding reliance on cloud-based calendar services.
  • pass: A password manager that uses GPG for encryption. It stores passwords as individual files, making it easy to integrate with version control systems and synchronize across devices.
  • Syncthing: A continuous file synchronization program that keeps files synchronized between my devices in real-time. It’s secure, decentralized, and open-source, ensuring my data stays private.
  • cmus: A small, fast, and powerful console music player. It supports a wide range of audio formats and provides a customizable and efficient interface for managing music.
  • yewtube: A terminal-based YouTube client that allows me to search for and watch videos directly from the command line, avoiding the clutter and distractions of the web interface.
  • nchat: A simple, terminal-based chat client supporting multiple protocols. It helps me stay connected without the need for graphical applications.
  • newsboat: A fast and flexible RSS feed reader for the terminal. It allows me to keep up with my favorite websites and blogs efficiently.

Browser

My browser of choice is Firefox, configured with a custom setup based on Arkenfox. Arkenfox provides a comprehensive set of privacy and security enhancements that I further tweak to fit my specific needs. I also use uBlock Origin for ad-blocking.

Mobile Devices

Hardware and Operating System

My smartphones are exclusively Android devices running LineageOS. I avoid GoogleApps for privacy reasons and instead use MicroG. This open-source implementation of Google Play Services allows me to have essential functionality without compromising my privacy too much.

Despite my ongoing concerns about the privacy implications of push notifications, I have enabled device registration and cloud messaging on MicroG. While I continue to view push notifications as a potential privacy nightmare, I recognize that usability is a critical factor in my daily workflow. By enabling these features in MicroG, I strike a necessary compromise, ensuring that my Android devices remain functional and convenient for everyday use without fully surrendering my commitment to privacy. This approach allows me to receive essential notifications and maintain effective communication while still minimizing my reliance on Google’s proprietary services.

Applications

On Android, I prefer open-source applications wherever possible. Here’s a list of some of my most-used apps:

  • F-Droid: An open-source app repository. It’s my primary source for discovering and installing open-source apps.
  • Aurora Store: An alternative to Google Play Store, allowing me to download apps without a Google account.
  • K-9 Mail: A powerful and open-source email client with support for multiple accounts, PGP encryption, and a customizable interface.
  • Davx5: An open-source CalDAV/CardDAV sync app, used to synchronize my calendars and contacts with my self-hosted server.
  • Privacy Browser: A privacy-focused mobile browser that minimizes tracking and enhances security by blocking advertisements and trackers, ensuring a more private browsing experience.
  • AudiobookShelf: A self-hosted audiobook server app that helps me organize and listen to my audiobook collection.
  • Telegram: For messaging, I use Telegram due to its support for encrypted chats, channels, and bots, which add versatility to its functionality.
  • LiChess: A free and open-source chess app that provides access to the Lichess.org platform for playing and learning chess.
  • Mastodon: An open-source social network that offers a decentralized alternative to traditional social media platforms.
  • Syncthing: Used here as well for file synchronization across my mobile devices and laptops.
  • Passwordstore: An Android client for pass, allowing me to access my encrypted passwords on the go.
  • OpenKeyChain: For managing my GPG keys on Android, which integrates seamlessly with K-9 Mail for email encryption.
  • AntennaPod: An open-source podcast manager that lets me subscribe to, download, and play podcasts efficiently.
  • Gadgetbridge: An app for managing various smartwatches and fitness trackers without needing proprietary cloud services.

Email, Calendars, and Contacts

I prefer self-hosting my email and synchronization services to avoid reliance on third parties. For this, I use a small VPS running (i rely on this all-in-one script):

  • Exim: A highly configurable Mail Transfer Agent (MTA) used to send and receive emails.
  • Dovecot: An IMAP server that allows me to access my emails securely from multiple devices.
  • Radicale: A small and simple CalDAV/CardDAV server that I use to synchronize my calendars and contacts.
  • Syncthing: Also used here for synchronizing files between my VPS and other devices.

Streaming, eBooks, and Audiobooks

To manage my multimedia content, I use a more robust VPS with ample storage. This server hosts my personal collection of movies, TV shows, eBooks, and audiobooks. Here are the key services I run:

  • Jellyfin: A free software media system that helps me manage and stream my personal media collection. It supports a wide range of media formats and provides a polished interface for accessing my content.
  • AudiobookShelf: This self-hosted audiobook server allows me to manage and listen to my audiobook collection from anywhere.

Search Engine

In addition to the above services, I also host an instance of SearXNG, an open-source metasearch engine that aggregates results from various search engines while protecting my privacy. This setup allows me to perform web searches without being tracked or profiled by major search engines, ensuring a more private and controlled search experience.

Privacy and Security Practices

Maintaining privacy and security is a top priority in my setup. Here are some of the measures I take:

Encryption

All sensitive data, including email and files, is encrypted using tools like OpenKeyChain and GnuPG. Encryption ensures that even if data is intercepted, it remains unreadable to unauthorized parties.

Password Management

I use pass, a simple but powerful password manager that stores passwords as encrypted GPG files. This approach integrates seamlessly with my terminal-based workflow and ensures that passwords are securely stored and easily accessible.

Two-Factor Authentication (2FA)

Wherever possible, I enable 2FA to add an additional layer of security to my accounts. I use authenticator apps for generating time-based one-time passwords (TOTP), also integrated in my pass installation. I also use a pair of Yubikeys as an additional authentication factor.

Secure Browsing

My Firefox setup includes privacy-focused extensions like uBlock Origin, Privacy Badger, and HTTPS Everywhere. These tools block ads, prevent tracking, and ensure secure connections. Additionally, I utilize container tabs to separate different browsing activities, minimizing the risk of cross-site tracking.

Regular Updates

Keeping all systems and applications up-to-date is crucial for mitigating vulnerabilities. I ensure that my operating systems, applications, and firmware are regularly updated to protect against known security threats.

Minimal Third-Party Services

By self-hosting services like email and file synchronization, I minimize the exposure of my data to third-party entities. This approach gives me greater control over my data and reduces the risk of data breaches.

Network Security

To a better protection and anonymity, often i rely on the TOR (The Onion Router) network, an anonymity network designed to protect users’ privacy and defend against network surveillance and traffic analysis.

By routing my internet traffic through the TOR network, I can enhance anonymization of my online activities. TOR achieves this by encrypting data multiple times and routing it through a series of volunteer-operated servers, or nodes. Each node decrypts a layer of encryption to reveal only the next destination, ensuring that no single point in the route knows both the source and destination of the data.

To maximize the benefits of TOR, I integrate it with various applications on my devices:

  • TOR Browser: I use the TOR Browser for secure and anonymous web browsing. It is a modified version of Firefox, designed to work seamlessly with the TOR network and includes built-in privacy protections.
  • OnionShare: For securely sharing files, I use OnionShare, which allows me to share files directly through the TOR network without needing to rely on third-party services.

Further, for secure communication, I use messaging apps that support TOR routing. This ensures that my messages are not only encrypted end-to-end but also anonymized through TOR. Applications like nchat can be configured to use TOR (using sock5), adding an extra layer of security to my communications.

I also use a custom DNS filter, based on Cloudflare Zero Trust (more details here)

Reduced Attack Surface with TUI Applications

One of the significant advantages of using terminal-based applications (TUI) is the reduced attack surface. Graphical applications often come with larger codebases and dependencies, increasing the potential for vulnerabilities. TUIs, being simpler and more lightweight, have fewer points of failure. This reduces the likelihood of security flaws and makes it easier to audit the code for vulnerabilities.


While my current tech setup reflects a strong commitment to security and privacy, I acknowledge that it is not perfect. For instance, I could switch from Telegram to more privacy-focused alternatives like Signal or Briar.

Additionally, instead of relying on Google’s push notifications through MicroG, I could set up a self-hosted UnifiedPush service to enhance my control over notifications. However, my primary goal is to find the right balance between security, privacy, and usability.

This compromise ensures that my devices remain functional and convenient for everyday use while still providing a robust level of protection for my data. By continually reassessing and adjusting my setup, I strive to maintain this balance and adapt to new privacy challenges and technological advancements.