Network
Start with a router that supports firmware like DD-WRT or OpenWRT
Setup a firewall like ipFire or pfSense OR purchase a dedicated device like the SG-1000
Blacklist ad/tracking domains with Pi-Hole
BIOS
Use CoreBoot if your hardware allows
OS
Start with the basics: https://ssd.eff.org/en
Advanced Mode: Qubes or Whonix
Arch First Steps
https://github.com/sorin-ionescu/prezto
https://wiki.archlinux.org/index.php/security
For everything else, see the oracle: wiki.archlinux.org
SSH
EdDSA requires OpenSSH 6.5 (ssh -V) or GnuPG 2.1 (gpg –version) so use 4096 bit RSA keys if ED25519 is not available.
ssh-keygen -t ed25519 -a 100 OR ssh-keygen -t rsa -b 4096 -o -a 100
Ref: https://stribika.github.io/2015/01/04/secure-secure-shell.html
GPG
~/.gnupg/gpg.conf:
## Avoid information leaked
no-emit-version
no-comments
export-options export-minimal
## Displays the long format of the ID of the keys and their fingerprints
keyid-format 0xlong
with-fingerprint
## Displays the validity of the keys
list-options show-uid-validity
verify-options show-uid-validity
## Limits the algorithms used
personal-cipher-preferences AES256
personal-digest-preferences SHA512
default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed
cipher-algo AES256
digest-algo SHA512
cert-digest-algo SHA512
compress-algo ZLIB
disable-cipher-algo 3DES
weak-digest SHA1
s2k-cipher-algo AES256
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 65011712Create Master Key
gpg2 --expert --full-gen-key
OPTION 8 > s > e > q
4096 > 1y > y
Create Sub-Keys
gpg2 --list-keys
gpg2 --expert --edit-key <KEYID>
addkey
8 > s > q > 1y > y > y
Repeat for Signing and Authentication key.
gpg> save
gpg> quit
Create Revocation For Master Key
gpg2 --output <KEYID>.rev --gen-revoke <KEYID>
Save All Keys
gpg2 --export --armor <KEYID> > <KEYID>.pub.asc
gpg2 --export-secret-keys --armor <KEYID> > <KEYID>.priv.asc
gpg2 --export-secret-subkeys --armor <KEYID> > <KEYID>.sub_priv.asc
These files all goto secure offline storage (take backups!)
Delete All Keys
gpg2 --delete-secret-key <KEYID>
Import Sub Keys
gpg2 --import <KEYID>.sub_priv.asc
https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/
Bonus! https://github.com/lfit/ssh-gpg-smartcard-config/blob/master/YubiKey_NEO.rst
Ref:
Debian Guide https://wiki.debian.org/Keysigning#Step_1:_Create_a_RSA_keypair
GNU Privacy Handbook https://www.gnupg.org/gph/en/manual.html
Firefox
Addons
- Multi Account Containers
- Temporary Containers
- HTTPS Everywhere
- Privacy Badger
- uBlock Origin
- Web Annoyances uBlock List
- NoScript
- NoCoin
- Neat URL
- KeepassXC-Browser
- DuckDuckGo
- Anti-Paywall
about:config tweaks
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
browser.search.geoip.url = blank
browser.send_pings = false
browser.urlbar.speculativeConnect.enabled = false
datareporting.healthreport.uploadEnabled = false
dom.battery.enabled = false
dom.event.clipboardevents.enabled = false
dom.event.contextmenu.enabled = false
extensions.pocket.enabled = false
extensions.pocket.site = blank
extensions.pocket.oAuthConsumerKey = blank
extensions.pocket.api = blank
geo.enabled = false
loop.enabled = false
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.cookie.lifetimePolicy = 2
network.dns.disableIPv6 = true
network.predictor.enabled = false
network.dns.disablePrefetch = true
network.prefetch-next = false
network.IDN_show_punycode = true
network.http.speculative-parallel-limit = 0
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.http.referer.spoofSource = true
network.http.sendSecureXSiteReferrer = false
network.prefetch-next = false
plugins.enumerable_names = blank
privacy.donottrackheader.enabled = true
privacy.donottrackheader.value = 1
privacy.trackingprotection.enabled = 1
toolkit.telemetry.enabled = false
browser.safebrowsing.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.provider.google4.dataSharing.enabled = blank
browser.safebrowsing.provider.google4.updateURL = blank
browser.safebrowsing.provider.google4.reportURL = blank
browser.safebrowsing.provider.google4.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google4.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google4.lists = blank
browser.safebrowsing.provider.google4.gethashURL = blank
browser.safebrowsing.provider.google4.dataSharingURL = blank
browser.safebrowsing.provider.google4.dataSharing.enabled = false
browser.safebrowsing.provider.google4.advisoryURL = blank
browser.safebrowsing.provider.google4.advisoryName = blank
browser.safebrowsing.provider.google.updateURL = blank
browser.safebrowsing.provider.google.reportURL = blank
browser.safebrowsing.provider.google.reportPhishMistakeURL = blank
browser.safebrowsing.provider.google.reportMalwareMistakeURL = blank
browser.safebrowsing.provider.google.pver = blank
browser.safebrowsing.provider.google.lists = blank
browser.safebrowsing.provider.google.gethashURL = blank
browser.safebrowsing.provider.google.advisoryURL = blank
browser.safebrowsing.downloads.remote.url = blank
browser.selfsupport.url = blank
browser.aboutHomeSnippets.updateUrL = blank
browser.startup.homepage_override.mstone = ignore
browser.startup.homepage_override.buildID = blank
startup.homepage_welcome_url = blank
startup.homepage_welcome_url.additional = blank
startup.homepage_override_url = blank
toolkit.telemetry.cachedClientID = blank
network.dnsCacheEntries = 100
network.dnsCacheExpiration = 60
browser.formfill.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.offline.enable = false
layout.frame_rate.precise = true