Hardening a PC against oppresive government intrusion

I live in a country that has a track record of changing governments on an irregular basis, and could possibly become oppressive without notice. That being said, I have tried to be prepared for such an eventuality. Though I have done nothing illegal, the mere fact of being a foreign national could perhaps set me up for a 2 AM raid by the local Stasi. Anything on my computer that is perfectly legal today could be illegal tomorrow, and when the goal is an arrest SOMETHING can always be found (or planted) as an excuse to do so.

I would like opinions as to whether this setup is sufficient against a government computer intrusion:

  1. Windows 11 OS with strong random pass-phrase
  2. C-drive full disk BIOS encryption with 4096 bit key and six random word pass-phrase by Diceware
  3. Brave browser with Firefox for backup
  4. StartPage search engine
  5. Private Internet Access VPN with Proton VPN as backup
  6. Tails OS with DuckDuckGo search engine over Tor for anything that even remotely might be construed as suspicious
  7. No Wifi or cellphone. All internet connections by ethernet cable.

I know every chain has its weak links, and that is why I am asking. I appreciate your input.

1 Like

This is suspicious. Get a normie phone and make that the focus and look normal and do what peers do.

Thank you for your reply. I suppose it is rather important to look like a face in the crowd. My primary concern, however, is not so much a secure online presence as the consequences of my PC being confiscated or stolen. How easy or hard would it be to break into my system, assuming no physical duress for the password? Again, nothing is illegal at the moment, but there may be reading materials that might not agree with an oppressive government’s political views.

My use of VPN, etc., is only an attempt to leave the least trace as possible.

Make sure you have a non-suspicious use of a VPN… Like Netflix, Disney+, etc. Again put it in the normal phone

If you can show that the Netflix is for avoiding geoblocks, you should be fine.

Dont look like you are hiding something.

1 Like

What is “BIOS encryption”? If that’s something built into your BIOS you can and should not rely on that. Always use well-known, audited open source software for really important things like encryption.

2 Likes

Perhaps I used the wrong term. By this I mean the disk is fully encrypted and the password must be presented before Windoes can start. This encryption is done by VeraCrypt. This is separate from the Windows password.

I’m sorry for the confusion. I have no doubt everyone here knows a lot more about these things than I. That is why I am asking. And thanks for your reply.

Had you considere using Linux/Graphene OS?

Other than the technical aspect, you might want to consider this matter in the legal aspect as well. The most important part is jurisdiction. For example, a full disk encryption won’t prevent you from cloud recording/logging, i.e. if there were some services logging your actions in the background, and those actions are considered to be offenses, you are busted even though the government can’t crack your device. And any registered company in your country will sing like a bird due to court orders.

Therefore, your first priority is to prevent any leakage. If I were you, I would use a product/service that’s not registered in the country.

Also, according to Techlore, PIA VPN and Proton VPN are not one of the providers that listed as warrant canary. They might not be your best bet.

2 Likes

Thank you very much for the reply. I went to the Techlore site, and found it very interesting. But frankly, I don’t know what Warrant Canary means.

Well, if this is the case then there aren’t really technological measures you can take to protect yourself against this threat. The mere fact that you have an encrypted drive might be seen as evidence of guilt regardless of its contents, for example.

Without knowledge of details like what data you’re actually trying to secure, which government you’re trying to protect from, what techniques they might use against you, etc., nobody here will be able to give you a fully-informed opinion on your situation. I’m not suggesting you share all of these specific details online in a place like this… I just want you to understand the limitations that a community like ours can provide. In your case it sounds like your situation is potentially very complex and the threats you face (governments) are very advanced, so you may want to consider consulting someone who is an expert in your specific situation.


In terms of actionable advice: Something you may wish to consider is not storing any data locally in the first place, if protecting against physical confiscation is your greatest concern. Storing your information with an encrypted cloud storage provider and only accessing it via Tails (i.e. making it difficult or impossible for an attacker to know which cloud storage provider you use in the first place based on physical/local evidence) could provide decent protection against such a threat.


The general insights given within this community and on privacyguides.org should not be construed as specific advice for your situation.

6 Likes

As @jonah this is not really a technical solution when rubber hose cryptoanalysis is an option. I’m sure we’ve all seen:


About the only thing protecting you there is the amnesic nature of Tails, (ie not having anything to find) the rest is security theater against a state adversary. What browser or search engine you use is irrelevant. Whether the connection is WiFi or Ethernet also has no bearing on anything if these connections are tied to you (via credit card etc).

One could argue that a fixed wired internet connection is less anonymous, as it is usually tied to an address (xDSL, FTTP etc), as opposed to a burner cell phone maybe not even in your name. Having said that possession of a cellular device under someone else’s identity may very well be incriminating on it’s own.

5 Likes

I don’t understand this quoted statement.

I need a VPN with Torrent support.
Is PIA (Private Internet Access) not a good choice?

Currently I use iVPN, but the disabled port forwardings


Private Internet Access review conclusion

Private Internet Access is a cheap VPN. The company has been adding features to increase the value of the service, but it still lags far behind industry leaders like NordVPN or Surfshark. On a positive note, it does have good VPN apps that are secure and user-friendly. But even with that, these drawbacks stand out:

  • Slow and inconsistent speeds
  • Based in the United States
  • Does not work well with streaming services
  • Now part of a large VPN conglomerate (Kape Technologies)
  • Mediocre support that may or may not be available

In short, while the company continues to improve their service, we still can’t recommend this VPN. There are too many other great alternatives to consider.

Stay safe!

If the VPN is not declared its warrant canary status, it’s most likely to say yes to any warrant sending to them, and is complying to any government/third-party request providing there’s a court order.

See more here.

1 Like

Just so you know, we don’t put any value in warrant canaries. As far as I know these have never been proven to actually work, and are just that, security theater.

Generally a gag order will include broad description of “tipping off” the person being investigated.

In the context of what this thread was originally about, oppressive governments will generally not have any sway over companies in other jurisdictions that that simply just won’t comply with unreasonable requests.

If you live under an oppressive government, it would make no sense to use a VPN operated from that same country, regardless of whether there is a warrant canary or not.

You probably don’t. The only thing that might happen is you might miss out on some peers. Of course there are other things eg usenet which do not have this issue and work just fine with the servarr family of tools.

1 Like

Use a normal VPN all the time, possibly enable it on router level. Get Mullvad, Proton, IVPN or Windscribe.

If you want your browsing to be private, use VPN all the time, or if you suspect that government will take your computer, use sandbox when browsing. Windows 11 has Windows Sandbox, which will do the job.

When using normal browsers, disable cloud sync and profiles, and delete cookies and history on closure.

You can use VPN on your phone. Also use NextDNS or Control D as your DNS provider instead of ISP, if you want additional control over your DNS queries.

1 Like

Is the Windows Sandbox feature that comes bundled with Windows 11 really secure? Or is it better to buy a 3rd party App?

You should research “Plausible deniability”. For example, have an hidden partition with your prohibited stuff, and a normal partition with your normal stuff. This way, when the police knocks at the door, you can claim to cooperate by giving them your password and be well-seen.

1 Like

Yes, it is secure but configuration options are very limited compared to Vmware Player/Workstation. You need to have Windows Pro or above license. It is also deleted once you close the app, unlike other 3rd party apps.

Configuration part