Rate my maybe paranoid setup?

Curiosity has me wondering what my setup looks like from an outside perspective so I’m posting here. TL:DR This will cover the security setup of my hardware and then software setups. Just a PC, laptop, and phone.

Edit: My threat model how could i forget. Surveillance capitalism generally. Not entirely trusting of some people I live with. although most of this stemmed from a curiosity of how far I can go with security on my devices too.

Desktop Gaming/Daily PC

There are tradeoffs using a gaming machine as your daily driver for everything of course. Invasive anti cheats, gaming software, etc. But I feel i keep my security hygiene well enough and I haven’t had an issue in the many years I’ve used my gaming machine as my daily driver too.

Security

• BIOS has a user and admin password set. While this is trivial security, in some unlikely scenario where one day i turn my machine on and it doesn’t request that. That could be a sign someone messed with the internals and/or BIOS itself (resetting CMOS)

• Full Disk Encryption using windows bitlocker. Changed some defaults so it uses 256 bit AES instead of the default 128 bit. Disallow new DMA devices when locked. etc. Preboot authentication is configured to require the TPM a PIN (passsword in reality. Not just numbers) and a startup key to decrypt. If someone happens to know the PIN, they can’t login. If they happen to have the keyfile, they can’t login. Essentially MFA for the preboot environment. Bitlocker is the most convenient FDE solution for me. No issues with OS updates and it’s simple to configure. Keyfiles are kept backed up in multiple places as well as a USB I carry with me

• Windows itself requires a login password. Security policy is configured so that after four wrong attempts at the windows login screen the device restarts and the bitlocker 48 digit recovery key is required to boot. I’ve also followed the PG windows guide for the basic group policy edits.

• Windows Defender has worked well as an AV. I don’t usually download stuff besides mods for games or backing up youtube channels i like with yt-dlp. I always verify checksums for downloads when applicable.

Laptop

My laptop is a gaming brand. I game on it on occasion so I dual boot windows and linux. Windows is configured the same way as my desktop. Linux I tend to jump from a few distros every now and then but I always secure them using LUKS with a 12 word diceware passphraase. Overkill? Maybe but it’s not much of an inconvenience for me.

Phone

I use a pixel running GrapheneOS. The owner profile uses a passphrase with some numbers to pad it up to the 128 character limit. The owner profile only has google services so I can install apps from the playstore then put them onto other profiles.

My daily profile has a separate password but follows the same formula. Diceware passphrase with numbers in it to reach the 128 character limit.

I use wired headphones for music so the USB C port is set to charging only when locked. Auto reboot is set to 1 hour. Duress pin/password are set. I keep them written down in a note inside the case labeling them as work passwords.

Software

This will cover all of the major software I use either on a single device or multiple or where applicable.

• Browsers - PC Phone Laptop: Firefox, Brave, and Mullvad Browser configured per PG recommendations

• Bitwarden - PC and Laptop: Uses its own email alias and a yubikey for 2FA so I feel safe storing other TOTP codes in there too. Master password is a long passphrase nearing 200 characters. Sounds like A LOT but it’s pretty quick for me to type. Everything of course is backed up on an emergency sheet kept in a safe. The safe also contains 2 backup yubikeys.

• KeepassXC / DX - Phone/PC: I keep a backup of my bitwarden DB and also all of my local hardware recovery on two databases. I sync them with proton drive between my devices. Those passwords are on my emergency sheet.

• Proton Pass - Phone: This holds a few passwords for critical accounts and most of my FDE passwords/recovery.

• Aegis - Phone: Stores any critical account TOTPs. For accounts that don’t allow security keys.

• VPNs: Proton on my windows devices. Moderate NAT option makes it better for gaming. Mullvad on my phone and linux installs.

• Cloud Storage: Proton Drive. I’ve looked at using Tresorit but I haven’t had a need to add another provider.

• Encryption - Veracrypt for FDE of USBs and HDDs. My bitwarden backups go onto USBs that use FDE. The passwords for them are kept on my emergency sheet. I have a few HDDs I use for other backups of general things. Youtube, software, game backups, etc. Those all use FDE with veracrypt using 128 character passwords.

Obviously this comes down to the emergency sheet. It’s in a safe but even then I feel vaguely uncomfortable having that info in plaintext even if its locked away. So i’m still working on that aspect.

That’s all I can think of putting here for now. There might be things i left out or that aren’t clear so I’m open to questions.

There is absolutely no reason to use a 12 word diceware passphrase, even a 7 word one is overkill for the 99% of people.

Absolutely overkill yet again, a 6-digit PIN is enough because of Weaver throttling and hardware-bound key derivation.

I agree with both of those! Most of the security aspects came from wondering how far I can go with them before I feel inconvenienced by them. They’re way overkill I’ll even admit. But they don’t feel all that restraining to me personally. In time I might relax some of them

This is not a threat model, these are just threats. Common mistake though

I’m not sure what you’re really asking. It certainly sounds like you’re avoiding the typical surveillance capitalists so… mission accomplished?

Yes, but you’re just wasting your time and energy and will burn out eventually, then you will end up like this guy: I’m quitting this privacy journey

This is not a threat model, these are just threats. Common mistake though

Well I have some more research to do then lol

I’m not sure what you’re really asking.

I guess I just wanted outside perspective of my basic security/privacy measures. A friend was asking about the USB on my keyring and when I was explaining what it was he looked confused. it got me thinking about how most people probably don’t even utilize any form of FDE on their devices and here I am with this setup.

dam

Specific to Windows my friend.
A: try not use it, however if that is not an option, I would definitely look up the PAW system, Microsoft use this for Azure devices internally, its a very restrictive but hardened setup of Windows, it encompasses the following:

1. Remove admin rights, you dont log in as Admin at all, you elevate and impersonate, this is how Windows security should work.
2. App locker type system, you allow the OEM and Microsoft signatures as default, OEM because they have driver access, Microsoft for the same reason, then you configure applocker based on what you want to allow installed, remember use containers not executables, a script called Aaronlocker will do this if you install what you need first, then run it.
3. BLOCK taskmgr.exe and explorer.exe from the admin group, this effectively stops admins from logging into Windows, massively reducing the attack surface.
4. Bitlocker via TPM, bitlockers main purpose isnt encryption now, its to protect configurations like applocker.

An excellent MVP called Sami Laiho outlined this back in like 2017, his clients are military and govt usually, and he is an expert in app restrictions, I would advise looking into his videos for a better understanding of Windows security, and how to harden it, for faily cheap at home

So when your phone reboots you’re typing a 128-character password?

If you want to harden windows more, check out CIS Benchmarks. They provide a PDF for things to tweak in various OSes & services to meet different levels of security.