Introduction
This portal aims to provide recommendations for open-source security and privacy tools for end-users. The set of tools was collected and tested, often repeatedly, with the final tests in spring 2022 and is based on the open tool taxonomy as part of the Cyber Security for Europe project (D7.5, M40 Open tool portal).
Open-source operating system and tools
This portal covers the use of tools for laptop (or desktop) computers with a Linux distribution installed. Basic recommendations are provided for secure data storage (data-at-rest), email and user communication tools, password managers, and Firefox web browser with additional extensions.
For the open-source tools, it is very common that maintenance and development is community service based on volunteers and independent individuals. Assessment of recommended tools includes basic analysis if the tool is actively maintained (there are regular updates and releases, documentation, proper responses to issue reports, and adequate handling of reported security issues).
Users
We define two model user categories for general tool usability assessment – beginner and intermediate.
It is crucial that applications are secure as a default for a beginner user. A beginner user has only basic knowledge of desktop applications or OS settings. No command-line tools are considered for this category.
Typical scenarios for this category are secure web browsing, editing and storing documents (with private data), or using email. Such users can use pre-configured encrypted laptops, connect to secure cloud services, or work remotely.
Intermediate users have more technical skills, including command-line tools and more sophisticated settings of applications and OS. Intermediate users can also install new tools, use technical documentation, and experiment with some security settings.
Scenarios for intermediate users are basically the same as for beginners, but such users can install and configure applications and operating systems themselves.
For the full definition of user categories, see User definitions.
For additional notes for methodology used in this project, see Project background and methodology.
There also exist other guides or lists of security-aware applications and practices, such as Surveillance Self-Defense (maintained by Electronic Frontier Foundation) or a list of security-related applications (maintained by Arch Linux distro community).
Linux distribution installation and setting
A user-friendly, stable, and secure desktop open-source operating system (Linux distribution) is the basis for installing all applications mentioned in this portal. Distribution should provide easy access to all tasks needed in everyday life, like easy connection to WiFi, Bluetooth, user authentication, data-at-rest encryption, but also an easy access to applications.
All recommended applications should be pre-installed or available through distribution repositories (beginner users can easily install them). The distribution must provide an easy way for installation updates for a reasonable time (after that time the user must upgrade the whole distribution to a new version).
The essential recommendation for distribution installations include:
- applying regular security updates and patches,
- enabling mandatory access control (like SELinux) and network firewall,
- encrypting the disk device,
- using secure passwords.
Users should also apply security-enhancing settings in software configuration, not install unnecessary software and data, and run and securely store regular backups of data.
We recommend the Ubuntu distribution as a stable and widely used Linux desktop distribution with rich graphical interface for a beginner user. Intermediate users can also use the Fedora Workstation distribution, which provides the most recent software and technologies with a shorter release cycle. Both distributions offer automatic security updates.
For more descriptions, see Operating systems.
For Ubuntu and Fedora installation instructions, see OS installation hints.
Security distributions
There are a lot of specialised Linux distributions; some focus on particular use cases. As part of the comparison related to security and privacy, we analysed some specialised distributions for security tasks like strong privacy protection or penetration testing. These distributions (often provided in the form of a Live distribution running from an external device like a USB flash disk or CD) are intended for users that would like to investigate or try very advanced security tasks. These are not meant to be used by beginner or intermediate users daily.
Linux distributions Kodachi and Parrot can be recommended for these experiments. Kodachi is a distro focusing on anonymity, and it provides easily used tools for privacy. Parrot is a pen-testing distribution similar to Kali Linux.
For more info about this category, see Linux distributions for security and privacy.
Applications for privacy and cyber-security defence
Data-at-rest encryption
Data such as documents, media files, email, or databases contain privacy information. Such data (also called data-at-rest) are stored on some physical device (SSD, flash disk) or is a cloud service. Strong encryption to provide data confidentiality should be a default option.
Encryption for laptops (and mobile devices in general) is crucial to prevent data leaks if a device is stolen or lost. Common and easily accessible data encryption methods include full disk encryption and filesystem-based encryption. File encryption can also partially cover user data stored in cloud services where we require end-to-end encryption (cloud providers never see open data).
Full disk encryption
Full disk encryption is the simplest way to encrypt data – all the underlying storage (disk or partition) is encrypted, protected by a strong passphrase or a token. If configured during installation, it can also include encryption of the operating system itself. That is important because various temporary files (swap, hibernation) can contain copies of sensitive data.
Filesystem encryption
A more flexible way to encrypt data is to use filesystem encryption, which allows setting different encryption parameters for individual files or directories. Also, tools for cloud storage encryption usually work on file-based encryption as it is native for cloud services interfaces.
Beginner users
For beginner users, pre-configured full disk encryption is the simplest way to achieve privacy protection. Also, it should be used for portable drives when storing data for transfer or backup.
Recommended tools are LUKS, as it is an integrated solution in all Linux distributions, and with simple installation configuration, the whole distribution can be stored on an encrypted disk. It is also usable for portable drives (for example, GNOME desktop file manager directly supports formatting of external devices with LUKS).
For storing data (files) in cloud services, Cryptomator application (with easily usable GUI) is recommended.
Intermediate users
For data exchange (flash disks or shared drives) among other operating systems, we recommend VeraCrypt full-disk encryption tool. It can be used for external drives or containers stored in files. VeraCrypt is supported on Windows and macOS systems as well.
Intermediate users can also use file-based encryption. The recommended tools are gocryptfs- and generic fscrypt (filesystem encryption extension directly supported by Linux kernel).
For more descriptions of the tools, see Data-at-rest encryption.
Email and user communication
Online communication (and email communication specifically) is one of the most used services on the internet today. As it is essential for business, it also plays a significant role in security incidents – leaking personal data through unencrypted emails or phishing attempts are just two examples. Secure configuration by default is one of the critical parts of the evaluation here.
Email can be used through online services (a typical example is Google Gmail). Still, a local client in the form of an installed application has many advantages (like individual extensions in the form of plugins).
We recommend Thunderbird as the locally installed email client for both beginner and intermediate users. Thunderbird also includes support for OpenGPG email encryption without the need to install any other extensions.
For more descriptions, see Email communication.
Password managers
Passwords are still one of the most used forms of user authentication. Creation and remembering a strong and secure password is challenging. A user also should not use the same password for more resources. Password managers help with this problem by providing secure password storage, generating strong, randomly-based passwords, and integrating with other applications (auto-fill of stored passwords).
We recommend Bitwarden password manager for both beginner and intermediate users as a secure default. The second option for intermediate users is KeePassXC, which provides a higher security margin and individual settings.
Both password managers can also be integrated into a web browser, replacing the internal password manager. For users who do not use a standalone password manager, we recommend an integrated password manager in the Firefox web browser (with primary password enabled).
For a detailed evaluation, see Password management.
Web browser
Browser is the most used and most versatile application for accessing online resources. Thus, Firefox is the primary suggestion for both beginner and intermediate users. The development of the Firefox browser has the protection of privacy as the main development goal.
Google Chrome browser could be needed in specific situations (as a page incompatibility or some particular hardware support is missing). Our recommendation is to stay with Firefox as a primary browser selection. The evaluation is based on Firefox version 100 (released on May 3).
The core browser settings have many built-in privacy options. These options were evaluated as the best defaults:
- automatic browser updates are enabled (if the Linux distribution does not allow automatic Firefox updates in the application, automated security updates for the distribution should be enabled)
- preferences set to use HTTPS-only mode
- the new TLS protocol version is enforced
- block insecure HTTP downloads on a secure HTTPS page
- block websites from storing data (Enhanced Tracking Protection setting)
- automatically clear history, cookies, and cache data
- phishing and malware protection is turned on
- use DuckDuckGo (a privacy-based search engine) as the default
- set the Do Not Track signal option
Firefox add-ons or plugins can provide many advanced privacy-related options. For beginner users, we suggest using the internal Firefox password manager (with a strong primary password). For intermediate users, NoScript Security Suite should be installed by default, and external password managers can be used (see Password managers section).
For a detailed description of the Firefox browser and an evaluation of many privacy-aware add-ons see Security and privacy assessment of the open source tools of the Firefox ecosystem of add-ons.
The add-on list includes connection security, script, ads blockers, cleaners, and tracking protection that was selected based on on preliminary assessment and personal notes, for details, see Firefox security and privacy add-ons.