What do you do to stay secure? What tools do you use to stay safe online?
Everytime I run a security training session, I get asked this sort of question. I try to provide a short answer tailored to the organisational context, the person’s needs, and understanding of IT.
To me though, staying secure online means owning my data.
Fair warning, I’ll be using the word “data” quite often in this article.
Ownership & security
I don’t want Amazon to sell me more products; nor do I want my photos to help train Apple’s image recognition systems.
I do not want to be at the mercy of an automated system that can suspend my account at any time, because it thinks that I didn’t properly follow the Terms & Conditions. Yes, that does happen.
Simply put, I do not want anyone to use my information for any purposes I did not explicitly approve of. In practice, I want to protect my private data from theft, loss, tampering and advertisers. With this choice comes the responsibility of keeping it secure.
Achieving independence
Tech giants’ services are convenient and easily available. Taking back control is, unsurprisingly, a challenge. So, when building a system to process my data, I had to focus my efforts on what I valued most:
- Passwords & credentials
- Documents and contracts
- Notes
- Photos
- Contacts
Threat Model
Before we get to the solutions, let’s quickly go over my threat model, following OWASP’s simplified methodology.
Decomposing the system
The system must allow me to securely process (ie store, access, create, delete, modify) the aforementioned files; and more generally, protect all my data (eg. location, the fact I love pizza, etc.).
I’m the system’s sole user, and usually rely on my smartphone and computer for all processing.
Determining threats
In no particular order, here are some things that can go wrong:
- I could lose data if I lose my devices, or if my online accounts get banned.
- Tech giants could build a shadow profile on me, and target me with ads that push me to overconsume.
- Strangers could learn a lot about me if my data is all over the internet.
- An attacker having compromised my Google account could identify my physical whereabouts.
- An attacker having compromised one of my passwords, could access my other accounts if this password is reused.
- An attacker could steal my data, either through social engineering or technical attack vectors.
Deciding on countermeasures and mitigations
How can my system process my data while avoiding these threats? Again, in no particular order, here’s a list of mitigating actions:
- Backup my data on devices I own
- Use unique passwords and multi factor authentication
- Avoid using services provided by organisations I have no control over, as much as possible
- Ensure my data is stored in secure locations, and encrypted when not stored in secure locations
- Ensure I leak as little information as possible online
The stack
So how does an engineer go about achieving all these goals all while having a decent user experience, easy or no maintenance, and low set up & running costs?
Software stack
Safe browsing
I use Firefox (please use Firefox by the way). But a browser will not singlehandedly keep me secure online.
I also depend on 3 great extensions that keep the unwieldy parts of the internet at bay:
Together, they block ads and unwanted JavaScript code, and prevent inquisitive advertisers from tracking me across different websites.
I recommend Restore Privacy’s guide to securing FireFox if you’re interested in hardening your browser.
Phone
Google lives on data. That’s why I run GrapheneOS on my degoogled Pixel 6 phone. GrapheneOS provides many security features that totally eliminate some vulnerability classes.
And having a degoogled Android phone protects me from leaking too much info to Google, and potential attackers who could have access to my Google account.
Credentials
For password management, Keepass is my weapon of choice. To manage a synced password database, I use two flavours of Keepass: KeepassXC on my laptop, and Keepass2Android on my phone.
As for MFA, I rely on a Yubikey wherever possible. And when that’s not feasible, I use Aegis. Aegis allows me to easily backup my OTPs to a password encrypted file, and that comes in handy since my degoogled phone cannot backup its app data to the Google cloud.
Photos
Google Photos is brilliant. PhotoPrism provides some of Google Photos’ features, but can be self-hosted.
Notes
For note taking, Joplin does it for me. The user interface is simple, and just like Keepass and Aegis, it stores the notes in files, that can be easily synced or backed up.
Documents
Paperless-ngx offers a searchable interface for large document archive. It ingests all sorts of files, and even runs OCR on image-based PDFs.
It really makes storing and accessing paperwork a breeze, and it’s self-hosted!
Backups
We’ve made significant progress lately, and rsync is no longer the only viable option in backup town.
I use Syncthing to synchronise files across devices (eg. .vcf
, Aegis, Keepass and Joplin files), and restic to run encrypted nightly backups.
I could not be happier with both tools; they’re reliable and easy to set up and use.
Platform
To recap the threat model’s recommendations, my self-hosted services must run on a computer I own, in a secure location, and my data must be encrypted if stored in an untrusted location.
Home server
I installed Ubuntu server on an old laptop, plugged it into my home router, and configured it with a custom Ansible playbook I wrote.
The playbook also deploys my services with a simple docker compose .yaml
file.
I even set up a dnsmasq server to point to my internal services using memorable names like photos.lan
and documents.lan
!
Security in depth
“But perimeter security is never enough!” Yes, I know, thanks.
Let’s Encrypt certificates are unfortunately a hassle to deploy for internal services, so I use a self-signed TLS certificate. I’ve also set up login/password authentication on all my services, so breaking into my home Wifi won’t be enough to grant you access to my data.
3, 2, 1, backup!
To follow the famous 3-2-1 rule, the server runs a nightly cronjob to backup my encrypted files on a Scaleway S3 bucket, and I regularly manually backup my files onto standalone external SSDs.
And voilà, we’re all set!
Is this really better?
Well, I’m happy with my setup.
Is it the most secure thing ever? No. I’m not using Tails, Qubes, Tor, or even Proton services. But it’s good enough for me and my threat model.
It’s very low maintenance; the server & its services run without crashing for weeks on end. I do update them regularly, so restarts are needed, but otherwise, I’m willing to bet they’d run for years!
Financially speaking, it’s also quite cheap. I’m using an old laptop with a broken screen with 2 SSDs I had laying around. The whole machine sips 5 watts of power at idle, which is nearly all the time. That roughly translates to 0.60€ on my monthly electric bill. And the S3 storage costs me 0.50€ per month. Honestly, I don’t know how I could do it for cheaper.
Granted, the lay person won’t be doing all of this, but I do believe any reasonably skilled and willing engineer should be able to run a similar setup for themselves.