The Ultimate Security Guide
The information provided is “as-is” and comes with no guarantee.
This guide is focused strictly on security.
Hardware
Securing the hardware we are using is the most critical thing within OPSEC. If the hardware is compromised, it is assumed everything done on that device is compromised as well. There is no point in security if you cannot be reasonably secure on the device you are using.
reasonably secure meaning that you can safely assume security on your device. For instance, a fresh-install of Windows, Linux, etc. without verifying the install. It can be assumed to be secure, but ultimately within secure systems, it is imperative to verify the integrity of the OS before we even begin.
In the modern age, it is extremely difficult to have a system that is 100% secure. Can you trust your CPU? Who’s to say that a state actor or a malicious employee didn’t implant malicious micro-code at the factory level? Can you trust the device and all of it’s components? Do you trust? Everything comes down to trust. At what point can you trust something and not trust it? Ideally, you would verify everything from the code in the linux kernel, to the firmware that runs your HID’s. Reviewing all of this code by yourself is a daunting task that very few accomplish. At some point, you will have to trust something. Whether it’s the word from the community that something is “secure” or that there isn’t a backdoor in your CPU.
Storage
In terms of secure storage, the debate ultimately arrives at HDD vs SSD. The main difference in terms of security for HHD’s over SSD’s is that with HDD’s you can visibly inspect the platter for writed content. HHD’s physically write 1’s and 0’s onto the platter with a small magnetic needle. Since the platter is essentially a physical “CD” we can clearly inspect it. When utilizing secure deletion, it is paramount to verify that the content has actually been overwritten. With HDD’s you can verify this. With SSD’s you cannot.
Additional Readings
Operating System
In terms of security, the best operating system is going to be Qubes OS. QubesOS is based upon virtualization which provides the best security we can achieve on a personal system. Of course, it is absolutely crucial to verify the signature. If the image is malicious, then it can be assumed the entire device is infected as well.
Qubes is comprised of several “virtual systems” (technically they are not, but for terms of those who are not famillear with Qubes) called Qubes. Each of these are based upon their own templates. What seperates Qubes from using several VMs on a host, is the base image is provided as a template. Each Qube will utilize the selected template, the OS files in the Qube are volitile meaning that if you need to make changes to the actual host (template), you can do so in the template Qube. Changing a setting in the template will persist to all Qubes with those selected as the template.
With Qubes, you can induldge in some extremely crazy things. Each USB device connected can be automatically attached to a sys-usb Qube, meaning that a potentially malicious USB device is immedietely sandboxed in an offline Qube. On top of that, it is possible to have private keys stored in an offline Qube, and use passthrough to sign and verify signatures to a Qube connected to the network, all while keeping your private keys offline & secure within their own Qube.
The possibilities are quite infinite with Qubes. Discussing them all here is impractical for the scope of this guide.
Most Linux / UNIX based operating systems can be configured to be reasonably secure (This is italicized as the ONLY way to be truley secure on an operating system is to not have one at all). Hardening a Linux system should start from the “ground up”, meaning we first have to trust our hardware (which will be explained in another section), along with verifying our kernel and any other programs (which will be explained in another section). After we are reasonably sure that our hardware is secure, we can start with kernel hardening. There is a dated guide which discusses various options for kernel hardening. (Last edit was in 2022 for this guide). The Arch Wiki has a section for hardening. Most other distros will have documentation relating to the security of the system.