Scrivener.PRO

The Privacy-Focused Linux Stack: Stop Leaking Data and Start Owning Your Machine

The Privacy-Focused Linux Stack: Stop Leaking Data and Start Owning Your Machine

AnarchySC

Picture this: you’re sitting at a coffee shop, laptop open, doing nothing remarkable. Writing an email. Reading some news. Maybe looking up something embarrassing about a health symptom at 2 AM from home later. Normal stuff.

Now picture a room full of people you’ve never met, watching everything you type, search, and click—logging it, packaging it, selling it to people who want to influence what you buy and who you vote for.

That’s not paranoia. That’s just Tuesday, if you’re running an unexamined OS with a stock browser and default DNS settings.

Here’s the thing about Linux—it doesn’t fix privacy by default. But it gives you the tools to actually build it. That’s a fundamentally different offer than anything Microsoft or Apple is making you.

Choose Your Distro Like You’re Choosing a Foundation

Clean minimal Linux desktop showing a terminal and system monitor with dark theme
Clean minimal Linux desktop showing a terminal and system monitor with dark theme

Not all Linux distros are created equal from a privacy standpoint. The distro is your foundation, and a cracked foundation means whatever you build on top of it is already compromised.

Here’s how I see the landscape:

  • Debian — Solid, stable, minimal telemetry, huge community. My go-to for servers. For a privacy desktop, it’s a strong base you can harden yourself.
  • Fedora — Clean upstream, sponsored by Red Hat, some telemetry that can be disabled. Better out-of-the-box hardware support than Debian for modern machines.
  • Tails — Lives on a USB drive, routes everything through Tor, leaves no trace. Built for journalists, activists, and people who take threat modeling seriously. Not your everyday driver but powerful for high-risk tasks.
  • Whonix — Two-VM architecture: one runs Tor, one runs your desktop. Separates network identity from your working environment. Complex to set up, hard to deanonymize.
  • Kicksecure — Debian-based, hardened defaults. If Debian is a solid house, Kicksecure is that house with a steel door and window bars.

The distro wars are mostly noise. What matters is: does this system minimize what it collects, can you audit what it’s doing, and can you configure it to your actual threat model?

If you’re just switching from Windows and want a private daily driver without going full operational-security mode, Fedora or a hardened Debian install gets you 80% of the way there with reasonable effort.

Pro Tip: Whatever distro you pick, run systemctl list-units --type=service shortly after install. You’ll be surprised what’s running that you never asked for. Disable what you don’t need. Reduce your attack surface.

DNS: The Part Everyone Ignores Until It’s Too Late

Network diagram showing DNS traffic being routed through encrypted resolver, abstract visualization with glowing nodes
Network diagram showing DNS traffic being routed through encrypted resolver, abstract visualization with glowing nodes

Your DNS resolver is basically a log of every website you’ve ever thought about visiting. By default, that log goes to your ISP. In many jurisdictions, they can keep it, sell it, or hand it over without much friction.

This is true even if you’re running Linux. The OS doesn’t fix your DNS. You have to fix it yourself.

Here’s the practical stack I’d recommend:

  • DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) — Encrypts your DNS queries so your ISP can’t read them in transit. systemd-resolved on modern Linux systems can handle DoT natively.
  • Self-hosted Pi-hole or AdGuard Home — Runs on a Raspberry Pi or a spare machine on your home network. Blocks ad and tracking domains before they ever load. Fast and satisfying.
  • Upstream resolvers that don’t log — Point your DoH/DoT setup at Quad9, NextDNS, or run your own recursive resolver with Unbound if you want to go all the way.

The self-hosted resolver route is genuinely one of the highest-ROI privacy moves you can make. One afternoon of setup, years of benefit. I covered more of the self-hosting mindset in Homelab on a Budget—the same principles apply here.

Pro Tip: Use resolvectl status on systemd-based distros to verify your DNS configuration is actually doing what you think it’s doing. Trust but verify. Actually, just verify.

Browser and Application Hardening: Where the Real Leaks Are

Your OS can be pristine and your browser can still hand your identity to every ad network in a five-mile radius. The browser is the biggest attack surface on your daily driver, full stop.

Firefox is the realistic choice for most people—it’s open source, actively maintained, and configurable enough to actually respect your preferences when you set them. The project continues to evolve its interface and settings, which keeps it competitive as a daily privacy tool.

Key hardening steps that actually matter:

  • Enable DNS-over-HTTPS inside Firefox too — Belt and suspenders. Even if your system DNS is configured, the browser can have its own resolver.
  • uBlock Origin — Not just an ad blocker. It’s a content filter with network-layer blocking. Run it in medium mode if you want to understand what you’re blocking.
  • Disable WebRTCmedia.peerconnection.enabled = false in about:config. WebRTC can leak your real IP even through a VPN. This one catches people.
  • Container tabs — Firefox Multi-Account Containers lets you isolate your Google session from your banking session from your Reddit session. They can’t cross-contaminate.
  • Resist fingerprintingprivacy.resistFingerprinting = true in about:config. Makes your browser blend into the crowd instead of sticking out like a thumbprint.

For the truly motivated, LibreWolf ships with many of these settings pre-configured. It’s a Firefox fork that removes telemetry and applies sensible privacy defaults. Good option if you don’t want to configure everything by hand.

The browser isn’t just software. It’s the window between you and the most data-hungry ecosystem ever built. Treat it accordingly.

Disk Encryption, Logging, and the Stuff Running in the Background

A padlock icon overlaid on a Linux terminal screen with encrypted filesystem output, dark moody lighting
A padlock icon overlaid on a Linux terminal screen with encrypted filesystem output, dark moody lighting

Privacy isn’t just about what leaves your machine. It’s about what persists on it.

Full disk encryption with LUKS should be non-negotiable for any machine that leaves your house. Most Linux installers offer this during setup. Enable it. If someone lifts your laptop, your data is theirs without it.

A few more things worth locking down:

  • Swap encryption — If you have a swap partition, encrypt it. Sensitive data from RAM can end up in swap. Most FDE setups handle this automatically, but verify.
  • systemd journal logs — By default, Linux logs a lot. Decide how long you want logs to persist and configure /etc/systemd/journald.conf accordingly. MaxRetentionSec is your friend.
  • AppArmor or SELinux — Mandatory access control. Limits what applications can actually touch on your filesystem even if they’re compromised. Ubuntu uses AppArmor by default. Fedora uses SELinux. Learn which one your distro uses and don’t disable it when something breaks—figure out why it’s breaking.
  • Firewall basicsufw on Debian/Ubuntu or firewalld on Fedora. Default deny inbound. Know what you’ve opened and why.
Pro Tip: Run ss -tulpn periodically to see what ports are listening on your machine. If something’s listening that shouldn’t be, that’s a conversation worth having with yourself.

If you’ve already thought about escaping Big Tech’s data collection, this is the infrastructure layer that makes those choices stick. Without hardening your OS and network, switching to a different search engine is just rearranging deck chairs.

Threat Modeling: The Skill Nobody Talks About

Here’s what most privacy guides miss: there’s no universal “most private” setup. There’s only the right setup for your specific threat model.

A journalist in a repressive country has different needs than a developer who just doesn’t want their ISP selling their browsing habits. Running Tails through Tor for your everyday Netflix session is overkill that will just frustrate you. Running stock Ubuntu with default settings because “I have nothing to hide” is leaving the window open in a bad neighborhood.

Ask yourself three questions:

  • Who are you protecting yourself from? ISP? Ad networks? Nosy employer? Nation-state adversary? The answer changes everything.
  • What are you protecting? Browsing habits? Financial data? Communications? Source code? Each has different exposure vectors.
  • What’s your tolerance for friction? Maximum privacy often means maximum inconvenience. Find the level where you’ll actually maintain the setup.

The goal isn’t paranoid perfection. The goal is intentional architecture. Most people aren’t being targeted—they’re just caught in the dragnet of mass data collection. The practical stack described above—a sensible distro, encrypted DNS, a hardened browser, FDE, and a firewall—defends against that dragnet effectively without turning your computer into a bunker.

And that’s really the point, isn’t it? Not to hide. To decide who gets to see what. To own your machine instead of leasing it back from the surveillance economy.

Who’s trying to control who here? Once you frame it that way, the answer to “is this worth the effort?” becomes obvious.

So—what does your current setup actually know about you? And more importantly, who else does?

Leave a comment