Blog

ChatGPT Image May 6, 2025, Security Sentinel

Building a Resilient Desktop

A Personal Security Checklist (In Progress)

“Security is a process, not a product.”

I came to building a secure traveling laptop from any number of directions and for endless reasons. Today’s world simply demands we hold dearly to our freedoms, lest they disappear. As many who read my musings here know, I am an ardent believer in freedom, diversity, and humanity. As my sister always said of me: “I am intolerant of intolerance.” ’Tis true.

Over the past several weeks I have utilized every resource at my disposal—Linux documentation and distros, AI, Internet forums, and a fair bit of personal stress. Among my discoveries are: security and freedom are more than a state of mind, more than wishes and desires. They are not a destination; they are a journey. They are hard work—and—they are not free.

Ancient geek that I am, I have chosen to build my environment on Open Source materials. Everything I use is in the public domain and free of governmental involvement. I will share my journey so others may learn, and I will be less likely to forget.

This document reflects a work-in-progress Arch-based setup that balances usability with hardened layers. It is not a one-night configuration, and it won’t be static. I’ve chosen a mix of tools that respect both system integrity and human fallibility—and this is my ongoing record of how I got there.

I find it essential to remind myself and others: better is more important than perfect. Work incrementally and in alignment with your skills, interests, and most urgent needs. In other words, claw back your threatened or lost freedoms. Do not panic. Stay focused.

Table of Contents

Primary Building Blocks

Like many, I have a number of old Dell laptops. I am using two of them—my best machines. They are important to me.

I’ve elected to utilize two distinct variants of Arch Linux (one on each laptop):

  • Arch Linux (Vanilla)
  • EndeavourOS (EOS)

My installation processes are standard for each variant (archinstall for vanilla Arch and Calamares for EOS). In both cases, I have ratcheted up BIOS and disk-level security from the start.

Free password lock laptop image

BIOS & Disk-Level Security

  • Secure Boot enabled in audit mode (alerts on kernel tampering without blocking unsigned components)
  • UEFI Admin password to prevent unauthorized BIOS changes
  • Disk formatted with Btrfs on LUKS encryption
  • Optional: Disable unused peripherals (e.g., webcam, mic, network devices)
  • Advanced: Investigate disabling Intel ME or AMD PSP (still on my to-do list)

Core OS Installation

  • Base system installed via archinstall or EndeavourOS Calamares
  • XFCE4 desktop used initially for stability and simplicity
  • Planned future environment: custom dwm and i3wm setups

Filesystem Strategy

  • Btrfs subvolumes structured as: @, @home, @snapshots, @log, etc.
  • Snapshot tools under evaluation:
    • snapper
    • btrfs-assistant
    • timeshift

Primary Security Software

Tool Purpose Status
AppArmor Mandatory access control (MAC) Testing & tuning
Firejail Application sandboxing Active
UFW + GUFW Firewall management Enabled
USBguard USB-Plugin device access management Enabled
Fail2Ban Brute force protection for SSH/web services Pending setup
hBlock Host-level ad/tracker blocking Installed
Mullvad VPN Privacy-respecting VPN with killswitch Active
Mullvad Browser Hardened browser for non-Tor private use Firejailed
Brevo SMTP service used with Thunderbird Active

Applications in Firejail

  • Firefox
  • Thunderbird
  • Mullvad Browser
  • Maestral (Dropbox sync client)
  • OnlyOffice

Additional apps under review for sandboxing:

  • LibreOffice (for downloaded/opened documents)
  • Image viewers (e.g., feh, gthumb)

Use firecfg to apply system-wide defaults and customize ~/.config/firejail/ as needed.

Optional & Planned Enhancements

  • AppArmor profile tuning with aa-status, aa-complain, and aa-enforce
  • Firejail custom profiles for less common apps
  • Log monitoring tools:
    • logwatch
    • journalctl filtering/alerts
  • Rootkit checkers:
    • rkhunter
    • chkrootkit
  • SSH hardening (AllowUsers, custom ports, disable password login)

Closing Notes

This document is not intended to be a manifesto or a lecture, and it isn’t the final word. This simply represents the current shape of my secure system journey. A journey that respects both privacy and practical use. Like all good systems, it will evolve.

Should you elect to embark on this trip, I hope that you fare well.

Feedback, questions, or suggestions?

Send them my way.

 

This content is free to use, adapt, and share.
Knowledge and information should be open—please spread them far and wide.

A few things to keep in mind:

  • All of my work comes with absolutely no warranty, expressed or implied. However…
  • It will almost certainly work until it breaks,
    though I must admit it may never work or be useful—and that would be sad.
  • If/when it breaks, you can keep all the pieces.
  • As for what you don’t like, it’s yours to do with as you will.
  • If you find my materials helpful, both you and I will be happy (at least for a while).
  • My advice is worth every penny you paid for it!

Full disclosure:
I use various AI systems to assist in developing my content.
If you’re curious about how I use them, feel free to check out:
The Revolutionary Impact of AI on Genealogy and Historical Research.