A Personal Security Checklist (In Progress)
significant revisions:
7 May 2015
“Security is a process, not a product.”
I came to building a secure traveling laptop from any number of directions and for endless reasons. Today’s world simply demands we hold dearly to our freedoms, lest they disappear. As many who read my musings here know, I am an ardent believer in freedom, diversity, and humanity. As my sister always said of me: “I am intolerant of intolerance.” ’Tis true.
Over the past several weeks I have utilized every resource at my disposal—Linux documentation and distros, AI, Internet forums, and a fair bit of personal stress. Among my discoveries are: security and freedom are more than a state of mind, more than wishes and desires. They are not a destination; they are a journey. They are hard work—and—they are not free.
Ancient geek that I am, I have chosen to build my environment on Open Source materials. Everything I use is in the public domain and free of governmental involvement. I will share my journey so others may learn, and I will be less likely to forget.
This document reflects a work-in-progress Arch-based setup that balances usability with hardened layers. It is not a one-night configuration, and it won’t be static. I’ve chosen a mix of tools that respect both system integrity and human fallibility—and this is my ongoing record of how I got there.
I find it essential to remind myself and others: better is more important than perfect. Work incrementally and in alignment with your skills, interests, and most urgent needs. In other words, claw back your threatened or lost freedoms. Do not panic. Stay focused.
Table of Contents
- Primary Building Blocks
- BIOS & Disk-Level Security
- Core OS Installation
- Filesystem Strategy
- Primary Security Software
- Applications in Firejail
- Optional & Planned Enhancements
- Closing Notes
Primary Building Blocks
Like many, I have a number of old Dell laptops. I am using two of them—my best machines. They are important to me.
I’ve elected to utilize two distinct variants of Arch Linux (one on each laptop):
- Arch Linux (Vanilla)
- EndeavourOS (EOS)
My installation processes are standard for each variant (archinstall for vanilla Arch and Calamares for EOS). In both cases, I use GRUB for my boot. On both machines, I have ratcheted up BIOS and disk-level security from the start. If you use systemd-boot beware you may encounter problems similar to those I found with AppArmor running GRUB. It’s all part of the journey, you know.
BIOS & Disk-Level Security
- Secure Boot enabled in audit mode (alerts on kernel tampering without blocking unsigned components)
- UEFI Admin password to prevent unauthorized BIOS changes
- Disk formatted with Btrfs on LUKS encryption
- Optional: Disable unused peripherals (e.g., webcam, mic, network devices)
- Advanced: Investigate disabling Intel ME or AMD PSP (still on my to-do list)
Core OS Installation
- Base system installed via archinstall or EndeavourOS Calamares
- XFCE4 desktop used initially for stability and simplicity
- Planned future environment: custom dwm and i3wm setups
Filesystem Strategy
- Btrfs subvolumes structured as:
@,@home,@snapshots,@log, etc. - Snapshot tools under evaluation:
snapperbtrfs-assistanttimeshift
Primary Security Software
(Note: Bolded tool name link/ accesses ‘relevant’ installation and setup guides.)
| Tool | Purpose | Status |
|---|---|---|
| AppArmor | Mandatory access control (MAC) Note: Neither my EOS nor Arch LTS-kernels had apparmor activated. The link (left) describes how that was over-come in GRUB. I have no idea if the same issue exists in systemd-boot. |
Testing & tuning |
| Firejail | Application sandboxing | Active |
| UFW + GUFW | Firewall management | Active |
| USBguard | USB-Plugin device access management | Active |
| Fail2Ban | Brute force protection for SSH/web services | Pending setup |
| rkhunter | Active | |
| chkrootkit | Active | |
| ClamAVNet | Open-source standard for mail gateway-scanning software. | Active |
| hBlock | Host-level ad/tracker blocking | Active |
| Mullvad VPN | Privacy-respecting VPN with killswitch | Active |
| Mullvad Browser | Hardened browser for non-Tor private use | Firejailed |
| Brevo | SMTP service used with Thunderbird | Active |
Applications ‘Sandboxed’ in Firejail
- Firefox
- Thunderbird
- Mullvad Browser
- Maestral (Dropbox sync client)
- OnlyOffice
Additional apps under review for firejail sandboxing:
- feh,
- gimp,
- gthumb,
- celluloid
Use firecfg to apply system-wide defaults and customize ~/.config/firejail/ as needed.
Planned Enhancements & Past Troubles
- AppArmor profile tuning with aa-status, aa-complain, and aa-enforce. Should you run into installation/ activation problems, like I have, follow this link to see how I fixed mine.
- Log monitoring tools:
- logwatch
- journalctl (filetring alerts)
- SSH hardening (AllowUsers, custom ports, disable password login)- I doubt I will do this. I have not used ssh in the last 50 years; ssh protection is probably not an urgent ‘fix’ for me.
Closing Notes
This document is not intended to be a manifesto or a lecture, and it isn’t the final word. This simply represents the current shape of my secure system journey. A journey that respects both privacy and practical use. Like all good systems, it will evolve.
Should you elect to embark on this trip, I hope that you fare well.
Feedback, questions, or suggestions?
This content is free to use, adapt, and share.
Knowledge and information should be open—please spread them far and wide.A few things to keep in mind:
- All of my work comes with absolutely no warranty, expressed or implied. However…
- It will almost certainly work until it breaks,
though I must admit it may never work or be useful—and that would be sad.- If/when it breaks, you can keep all the pieces.
- As for what you don’t like, it’s yours to do with as you will.
- If you find my materials helpful, both you and I will be happy (at least for a while).
- My advice is worth every penny you paid for it!
Full disclosure:
I use various AI systems to assist in developing my content.
If you’re curious about how I use them, feel free to check out:
The Revolutionary Impact of AI on Genealogy and Historical Research.
