Then, select Create an Encrypted File Container:
Click the option that says “Hidden VeraCrypt Volume”
Here, choose the location for this volume and check the option that says “Never save history.”
Make a selection of your preferred encryption algorithm and Hash Algorithm. The ones set by default are absolutely fine as well but you can change them if you want more security.
Next up, select the option “Use keyfiles.”
Click the keyfiles option as seen in the image below:
You can generate and save the key here.
On the next window, click “add files” and enter your key. You can also generate another key here if you want, clicking the “Generate Random Keyfile” option.
You can also use existing keys.
Finally, click “Format” and finish creating the volume which should now be visible.
Now load this volume with contents that appear sensitive.
Now follow the same steps.
Remember: This is a hidden volume, so consider its security your first priority.
Once done, this popup will appear. Read it carefully.
Tor browser is an effective way to maintain your privacy online. Tor uses .onion address extensions rather than the traditional .com and other such extensions.
You can download the Tor Browser here.
Once downloaded, open the zip file and:
Configure Security Settings
You can easily configure your browser security settings. Just click on the Onion icon in the top left (Image below).
Go to “Privacy and Security Settings.” Here, you can simply adjust the slider to meet your desired security needs.
Sometimes, your internet service provider may detect Tor traffic and might disable your use of Tor. However, you can get past that by using a Tor Bridge. Using bridges for Tor is not always needed but it is one of those security measures that are always good to take beforehand.
Click open settings on the Popup connection box.
Click the option that says “Configure.”
Select “Yes” on the next screen.
Select transport type. By default, obfs3 is selected which is fine.
Optionally, if Tor is already running you can:
- Click the same onion icon on the top left
- Open Network settings
- Check “My ISP Blocks Connection” and then press Ok.
Use obfs3 – it is recommended by experts.
These are extensions that can be added to Tor which use its pluggable transport API. Pluggable transport extensions allow users to disguise their internet traffic as something else, for example Skype traffic when you are using Tor browser.
The good thing is that many of these transport extensions are already included in the Bridge Options menu.
If you plan not to use Tor for your dark web activities, FireFox is a good alternative. Here is how to configure it:
Paste this into your FireFox URL bar: “about:config”.
- geo.enabled = false
- geo.wifi.uri =leave blank
- network.http.accept.default = text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
- network.http.use-cache = false
- network.http.keep-alive.timeout = 600
- network.http.max-persistent-connections-per-proxy = 16
- network.proxy.socks_remote_dns = true
- network.cookie.lifetimePolicy = 2
- network.http.sendRefererHeader = 0
- network.http.sendSecureXSiteReferrer = false
- network.protocol-handler.external = false #set the default and all the sub-settings to false
- network.protocol-handler.warn-external = true #set the default and all the sub-settings to true
- network.http.pipelining = true
- network.http.pipelining.maxrequests = 8
- network.http.proxy.keep-alive = true
- network.http.proxy.pipelining = true
- network.prefetch-next = false
- browser.cache.disk.enable = false
- browser.cache.offline.enable = false
- browser.sessionstore.privacy_level = 2
- browser.sessionhistory.max_entries = 2
- browser.display.use_document_fonts = 0
- intl.charsetmenu.browser.cache = ISO-8859-9, windows-1252, windows-1251, ISO-8859-1, UTF-8
- dom.storage.enabled = false
- extensions.blocklist.enabled = false
Some other helpful options include:
- Disabling all plugins by going to addons > plugins
- Disabling all live bookmarks: bookmarks > toolbar > right click latest headlines > delete
- Disable all updates by going to tools > options > advanced > update
- Get extra privacy by enabling the “do not track” feature from options > privacy
- Enable private browsing by going to tools > options > privacy
While it’s not recommended to use too many plugins, here are a few that you can opt for if you really want to use plugins while browsing:
- HTTPS Everywhere
- Privacy Badger
- Close n forget
- Modify headers
- User Agent Switcher
- Adblock plus
You can also check what kind of data your browser is sending by visiting ip-check.info
For maximum privacy, it’s recommended to get a router compatible with an open source firmware. The two best firmwares for this purpose are Tomato and dd-wrt.
You can, in some cases, use Tor directly on the router. You can also use a backup router as a “contingency plan” to establish secure connections for quick get-in and get-out.
Some people also configure a Raspberry pi as a local device through which they re-route their connections.
You can find the standalone Tor daemon in Ubuntu/Debian/Arch package manager.
sudo apt-get install tor
sudo pacman -S tor
You can also add their PPA to get the latest version from this link.
Tor can be used as a socks proxy with the browser bundle or Tor daemon. Just navigate to the Network Settings and the Proxy section of the desired service.
Select Socks 4 Proxy and enter 127.0.0.1 port 9050.
Doing so will re-route all your connections through Tor.
I2P is a less commonly used alternative to Tor. Like Tor, it doesn’t use any .com or .org extensions. Instead, it uses .i2p extensions.
Here’s how you can add i2p to the package list:
- sudo apt-get update
- sudo apt-get install i2p
For ubuntu: sudo apt-add-repository ppa:i2p-maintainers/i2p
For Debian, click here.
Starting i2p in terminal:
i2p router start
You should check the configuration if you have trouble connecting to the i2p server. You can do so by visiting: localhost:7657/confignet
Your router or firewall may be disabling the connection
Here’s the basic port unblocking
- sudo iptables -A INPUT -p tcp —dport i2p port here -j ACCEPT
- sudo iptables -L
- sudo ufw allow i2p port here/tcp
- sudo ufw status
It is never recommended to use a free VPN. However, listed here is one that has been really helpful over the years.
Vpnbook.com is one of the very few free VPNs that actually work. However, you should alway use Tor on-top of the VPN to maintain your online privacy.
Sometimes, it becomes a necessity to use a proxy after the Tor exit node.
The setup is very easy.
- sudo apt-get install proxychains
- sudo nano /etc/proxychains.conf
- following ProxyList add
socks4 127.0.0.1 9050 #Tor must go first
socks5 ipaddress port
To populate, you will have to search for a public socks proxy.
Start FireFox in terminal: proxychains firefox
The best way to maintain your online privacy is to get rid of all the traditional operating software, like Windows and MAC, and get Linux instead.
It is always a good practice to get a clean start. For this purpose, locate the firmware model on the motherboard of your computer and flash it.
Enabling a BIOS Boot Password
Press F12 to enter bios and find the security section.
Use Bootable Operating System
This guide will show you how to install TAILS on a USB from a virtual machine.
- First, you will need to download Virtual Box
- Then, you should download the latest extension package
- Double click it to open
- Now Download TAILS
- Verify identity with PGP
- Now, open VIrtualBox and connect a USB drive
Now click “new” on the top left (image below).
Name your virtual machine here and select Linux 32 or 64 bit depending on which version you downloaded.
You should set the memory size to at least 1024 for smooth performance.
Now, create a virtual hard drive.
VDI image is recommended.
At the next screen, you can select “dynamically allocated” and set the starting amount at a couple of gigabytes.
Now select the image and click the start button.
On the next screen, you should select the location of the .iso file that you downloaded.
Once started, head over to Applications > TAILS > TAILS Installer
At this point, make sure that the USB hard drive is connected. You will see a green plus over the USB icon (image below).
Now select “clone and install” and simply follow the installation steps.
Once started, you can create a persistent volume to store static content.
On the next reboot, you will be asked if you wish to use the persistent volume or not. Use only when indicated.
Recommended Base operating systems: Archlinux or Kali.
Debian Mint Ubuntu is a good alternative though.
Secure VM with Whonix and VirtualBox
- First, download both Whonix-Gateway and Workstation
- Then, download Virtual Box
- Here, you might want to identify file identities using Signing Key
Click file import appliance and select the Whonix Gateway .ova file:
Keep the default settings as it is and then click the import button.
Repeat the same process for the workstation, select the .ova file.
Now import without changing settings.
Now select and start both applications at the same time.
You will see a botting screen (see image below) once the Workstation has finished processing.
At this point, you will need to keep both VM Windows open. However, most of your work will be in the Whonix-Workstation VM Window.
Here some of the essentials you need for top-notch privacy:
- Disk Encryption: LVM encryption during install, encrypt home directory.
- Bleachbit: Clearing day to day files.
- Secure-delete package: Wipes content securely
Secure Data-Wiping with Linux
You can make this step easier by using an operating software like TAILS. TAILS allows for minimal persistent storage and automatic memory wiping.
Using BleachBit is easy, but it is slightly less effective.
sudo apt-get install bleachbit
With BleachBit, you can shred files and folders from the file menu. You can also make free space by wiping excess data that exists without pointers.
file→wipe free space
Using DBAN requires advanced skill as it is booted from a USB or a CD drive. It is ideal when discarding a hard drive.
You can download DBAN here. Once you have downloaded the .iso file, burn it on a CD or a USB drive.
- Select “RCMP TSSIT OPS-II” for deletion method.
- Now, select the drive
- & prepare to wait for 12 or more hours.
It is slightly easier to use than DBAN and also much more effective than BleachBit.
Again, you will need to boot from a CD or a USB drive.
Although properly deleting a file takes time, you can still use “Fast Mode” if you are in a hurry.
Here’s how to use it:
sudo apt-get secure-delete
If you are wiping a disk:
Now find the disk name. It should be /dev/sdxx
Here, you should encrypt your partition. More importantly, wipe the space that’s considered free.
sudo sfill /dev/sddisk#
If you need to clear swap space:
- cat /proc/swaps
- sudo swapoff /dev/sddisk#
- sudo sswap /dev/sddisk#
- sudo swapon /dev/sdFdisk#
If you don’t have enough time, you can use -m for 7 passes and -s for simple 1 pass.
sudo srm file
sudo srm -r /directory
You might also be interested to wipe the memory at the end.
Before physically destroying the disk, try to encrypt it first, so even if you fail you will still be secure.
Open the drive
Find the platter, retrieve it
& then SMASH it
Now locate any memory chips and destroy them as well.
Make sure to not dispose it off in a normal garbage can. Be discrete with where you dispose it off.
This is an old attack method which recovers encryption keys stored in RAM. Always use a DDR3 or better memory if possible. Ensure to shut down the computer when not using them.
Another factor that can be used to build up an identity profile on you is your use of basic communication: spellings, grammar, and writing style. Authorities can single out similar patterns of communication and link them to your alternate identities.
It’s important to remember that you should never use nicknames or even mention your location or music taste and other stuff which can be linked back to you later.
JPG, JPEG, TIF, and WAV files all store data in EXIF (Exchangable Image file format) format. EXIF data can have sensitive information, including geo-location and also information about the device that you use.
To maintain privacy, always use PNG image format.
As you might have noticed the theme by now, no one on the internet can be trusted. Therefore, you should not trust any email providers either, no matter how many security claims they make. Use PGP to stay protected with emails.
Protonmail is a highly respected email client. However, it is invite-only and has a long waiting time – we’re talking several months.
Tutanota offers encrypted email services with OTP but you will have to configure PGP manually.
When used with PGP, tor based email clients such as Mail2Tor are secure enough to be used daily.
- sudo apt-get install pidgin
- go to tools→preferences
- Logging: disable log all instant messages/log all chats
- Go to proxy
- Select Socks 4
- enter: 127.0.0.1 9050
- Go to this link
- Under Security
- Download/Install: Off-The-Record, Pidgin-GPG
- Install any dependencies
- Activate Plugins in: Tools→Plugins
- Once activated, select configure plugin for both
- First, generate a unique key
- Now, enable Private messaging
- Also disable logging
- Automatically initiate private messaging (optional)
- Select show OTR in tool-bar
- If a conversation is not private, you will see a box saying “Not Private”
- Click Start Private Conversation
- If your partner has OTR properly configured, it will display private.
- select main key in options
- toggle encryption mode in conversations
- options→toggle openpgp encryption
Alternative Messaging Options
Pond messages are asynchronous. They expire automatically after a week of being sent.
PGP keys are unique identifiers that are not to be used across multiple accounts or on a public address.
Simple PGP on LINUX:
Ubuntu- sudo apt-get install gpa gnupg2
Arch- sudo pacman -s gpa gnupg2
How to generate keys:
- In terminal enter: gpg –gen-key or open gpa in terminal and it will prompt you to create one.
- Follow the prompts
- Select option 1 in most cases – RSA and RSA (default)
- Select at least 2048 key size
- Key expiration, hit enter if not needed.
- Make sure to not enter any real information
- Also make sure to use a secure passphrase for the key
- Then move the mouse as prompted. You can also type whatever you want. The goal is to create entropy.
Simple PGP with GNU Privacy Assistant
GPA will guide you through the creation process of your first key when you open it. Please do not put in any real information, unless intended.
Refresh or restart GPA and your keys will appear. Now click the clipboard.
Enter your message here:
Now select the key you wish to sign in with:
Now, you will see an encrypted message.
To decrypt it, click the mail icon on top (see image below). This will allow you to use the appropriate key.
More Details on GPA
Here’s how to export/import Public Key:
First, select your key-pair. Go to keys > export or import keys and proceed appropriately.
Here’s How to Export/import Private Key:
- Select your key-pair. Go to keys > export or import keys and proceed appropriately.
- Now either choose where to save it or paste the desired key directly.
Here’s how to verify a message:
- Keys > Imports
- Now paste the public key directly
- Select “window” > clipboard
- Paste the entire text
- Click icon with the green key
- It will now display the name of the previously imported key if the information is authenticated
Here’s how to verify a file:
- Paste the public key
- back to terminal
- gpg —verify file
PGP with Email
Thunderbird is the most widely known and used.
- sudo apt-get install thunderbird enigmail
- Open Thunderbird
- Open Preferences→enigmail→Preferences
- Set the GPG path, in Ubuntu default is /usr/bin/gpg
You can also cut and paste your messages directly from GPA into the message window.
TAILS has an OpenPGP applet
Additional Reading on PGP
Some PGP Libraries are known to have weak encryption. PGP versions can also reveal the operating software that you use. Therefore, you should research strange PGP versions.
Validating Files with MD5 or SHA 1
SHA 1 SUM
Whenever a file is provided, ideally a SHA1/MD5/PGP Sum will be provided, which looks like a string of long characters.
For LINUX terminal type: sha1sum filename
Output should be the same as the supplied string
Again, a SHA1/MD5/PGP string will be provided whenever a file is provided. It will also look like a long string of characters.
In Linux terminal type: md5sum filename
The output should be the same as the supplied string.