Toolkit

What I use

Hardware, software, services, and the privacy / security trade-offs behind each choice. Following the uses.tech tradition, but written through the lens of "what does this actually cost me in exposure?".

Last updated: 10 May 2026. This page changes when my stack changes.

A note on this list: the right answer for me is not the right answer for you. My threat model is "UK cyber-defence professional with a public profile and engagements that occasionally touch sensitive material". Yours might be radically different. Use this as a worked example, not a shopping list.

Hardware

Daily-driver laptop

A ThinkPad-class machine running Ubuntu LTS with full-disk LUKS encryption, Secure Boot enabled, and a TPM-bound automatic unlock that still requires a passphrase on cold boot. I prefer business-grade ThinkPads because they have a real Coreboot/Heads pipeline, replaceable batteries, repair manuals, and a fingerprint reader I can switch off in firmware. I avoid TouchID-class biometrics on devices where the secure-enclave attestation is opaque to me.

Phone

iPhone with Lockdown Mode on, third-party app-tracking disabled, "Hide My Email" used for every service that doesn't get a real address. iCloud Advanced Data Protection on (which I'd argue should be the default). I keep Apple's location-sharing off by default and grant per-trip access where useful.

I run an Android side-handset on GrapheneOS for travel, research, and any work involving sensitive sources. Pixel hardware, no Google services, sandboxed Play Store only when strictly necessary, separate user profiles for separate workloads.

Hardware tokens

Two Yubikey 5s — one daily-carry, one in a fireproof safe as recovery. Both registered to every service I care about. Keys are FIDO2 / WebAuthn for sites that support it, OATH-TOTP fallback for the ones that don't, and OpenPGP card mode for the GPG keyring. The "two of two registered" pattern is the thing that lets me lose a key without losing access — single-key setups are a trap.

Off-board key storage

An air-gapped Nitrokey HSM for the master signing key and the offline-only credentials I rotate from. Lives in a safe; comes out for ceremony.

Network and travel kit

A travel router (GL.iNet Slate or Beryl) running OpenWrt, used as a forced-VPN bottleneck on hotel and conference networks. Faraday pouches for kit when I'm not actively using it. Cable-tie tags on lab kit so I can spot tampering.

Identity, auth and secrets

Password manager

1Password, with vaults segregated by sensitivity (personal, business, client work) and shared vaults for joint household credentials. Yubikey for the unlock factor. I considered Bitwarden seriously and would still recommend it for someone starting from scratch — both are good. I haven't moved because the integration depth and travel mode are mature in 1Password.

I do not use the browser's built-in password manager. Browser pwd stores are convenient and roughly free, and they are also the single most common credential-theft vector I see in real incidents.

Email aliases

addy.io as my primary aliasing service, with a Hide-My-Email fallback in the iOS sign-in flow. Every service gets a unique alias. Burning an alias when a service gets breached is the closest thing to a privacy super-power I have.

2FA / MFA

Hardware key (Yubikey) where supported. Time-based OTP via the Yubikey OATH module where the site only does TOTP. SMS only as a last-resort fallback for service-providers who refuse to ship anything else. Never push-prompt MFA to a phone that doesn't number-match.

Communications

Messaging

Signal for everyday secure messaging. Signal Username on rather than phone discovery. Disappearing messages as a default for new conversations.

Anything iMessage / WhatsApp gets treated as roughly-secure-but-known-to-the-platform. I assume metadata is harvested. I do not use Telegram for anything I would not say in a coffee shop.

Email

Self-hosted mail (Postfix + Dovecot + Rspamd, behind Cloudflare) on a UK-based VPS, with mail-archival to an encrypted local store. The reason isn't paranoia — it's that owning the address forever, regardless of which provider I use, is freedom from migration risk. The cost is a Saturday a year keeping it patched and tuned.

For receiving mail at the same address from anywhere, K-9 Mail on Android, Apple Mail on iOS, Thunderbird on the laptop. PGP via OpenKeychain on Android, the GPG keyring directly on the laptop.

Voice / video

Signal calling for sensitive calls. Jitsi Meet (self-hosted) for client calls when I want to control the recording pipeline. Zoom or Teams when the counter-party is on those, with the assumption that the meeting is recorded somewhere I can't see. Phone microphone disabled at OS level when not needed.

Network

VPN

Mullvad on the laptop and the GrapheneOS phone. Cash payment, account-number-only — no email address, no name. WireGuard. I trust Mullvad's no-logs claim approximately as far as I can throw it, but the model — anonymous accounts, audited code, repeatedly proven non-compliance with subpoenas — is the best of a bad genre.

I run my own WireGuard endpoint on a VPS for traffic I want to route through me rather than obscure from the world — useful for accessing UK-only services from abroad without giving my home IP to a hotel network.

DNS

Recursive resolver running locally (Unbound), with DNSSEC, QNAME minimisation, and DoT to authoritative servers. Pi-hole on the home network for ad and tracker filtering. Quad9 as the upstream of last resort because they have a privacy policy I trust and a malware-blocking option that is genuinely useful.

Home network

Ubiquiti UniFi running its own VLANs: trusted, kids-and-guests, IoT, and "this got a free pass through the firewall to send telemetry off-network". Smart-home things live on the IoT VLAN with no internet-egress and no inter-VLAN talking. CCTV is on a separate VLAN and feeds a local NVR with no cloud account.

Browser

Firefox with strict tracking protection, container tabs, and the following extensions:

I keep a separate Brave install for sites that genuinely don't work in Firefox. I avoid Chrome and Safari for default browsing — Chrome's incentive structure is wrong, and Safari is fine on iOS but gives me less control on the desktop.

Editor and dev

Neovim on the terminal for serious work; VS Code with the extensions I need for code-review across multiple languages. Both running with telemetry disabled. git commit set to use the GitHub no-reply email by default; never my real-name address.

Source control on self-hosted Gitea for my own code, GitHub for everything that needs to be public. SSH keys stored on the Yubikey, not on disk.

Backup

restic with an offsite repository on Backblaze B2 and a local repository on a NAS. Encryption keys held only on the laptop (and on a paper backup in the safe). Tested restore quarterly — the only backups that matter are the ones you've actually restored from.

What I don't use, and why

  • Voice assistants. No Alexa, no Google Home, no always-listening anything. The cost-benefit doesn't work for me.
  • Smart-TV "smart" features. The TV is wired to an Apple TV and the smart-TV side has no DNS resolution. Modern TVs ship with shockingly chatty telemetry.
  • Browser sync. Bookmarks and passwords live in the password manager. I don't want my browsing graph in another vendor's database, and I particularly don't want it tied to a logged-in browser identity that follows me across devices.
  • Most "convenience" cloud features. Photo stream, automatic backup of every screenshot, location-history in Google Maps. Default off, switched on only when actively needed.

If you're starting from scratch

Don't try to do everything on this list at once. Pick three things and do them this month: a password manager, a Yubikey, and email aliases. That covers more than 80% of the realistic improvement to a normal person's posture, in a weekend. Everything else can come later.

See also: Privacy hub · OSINT self-audit · PGP primer.