Click a layer to see tools

OPSEC tools organised into 7 practical layers.

Each section groups your favourite tools and services by what they protect: devices, network, messaging, browsing, monitoring, data, and behaviour/virtualisation.

Device & Disk

Network

Messaging

Browsing & IDs

Comms / Monitoring

Mail & Cloud

VMs & Cleanup

Core OPSEC Reminders

These points are high-level operational-security and privacy habits, presented for educational and research purposes only.

Never print sensitive content directly from your phone or laptop.
Never use a free VPN for sensitive activity.
Never boot or run sensitive operations from your home network.
Never bring your personal phone into high-risk locations.
Scrub metadata from your entire device on a regular basis.
Scrub EXIF data from everything in your photo and video gallery.
Use a Tor-based or similarly privacy-focused email provider.
Route sensitive traffic through Tor where appropriate.
Spoof ARP, DNS, MAC, HWID, and similar identifiers only in lawful test environments.
Use residential SOCKS5 proxies where policy and law allow.
Never log in to sensitive accounts under your real identity.
Limit sensitive phone calls to under 60 seconds whenever possible.
Use outbound-only Wi‑Fi setups for high-risk environments.
Packet-sniff and audit only networks you own or are authorised to test.
The moment you get comfortable and careless with OPSEC is when you are most at risk.

Educational content only. Follow all applicable laws and regulations; do not use this page to plan or conduct illegal activity.

1. Device and disk protection

Tools to encrypt data at rest and manage secrets on your endpoints.

Tools

VeraCrypt

Disk and container encryption; creates encrypted volumes or full‑disk encryption so data at rest is unreadable without the key.

Encryption
Bitwarden

Open‑source password manager; encrypts your vault locally and syncs across devices using zero‑knowledge cloud storage.

Passwords
KeePassXC

Local, file‑based password manager; stores an encrypted password database you control, often synced via your own storage.

Passwords
Kleopatra (Gpg4win)

GUI for GnuPG; manages keypairs and lets you encrypt/sign files and mail using OpenPGP public‑key cryptography.

PGP

2. Network and traffic protection

VPNs, firewalls, and secure tunnels that shape how your traffic leaves your devices.

Tools

Mullvad VPN

No‑log VPN; uses account numbers instead of emails and tunnels all traffic through encrypted servers.

VPN
IVPN

Privacy‑focused VPN; supports WireGuard/OpenVPN and multi‑hop routing to hide traffic paths.

VPN
Riseup VPN

Activist‑oriented VPN; encrypts traffic and aims to resist logging and commercial tracking.

VPN
Simplewall

Lightweight outbound firewall for Windows; lets you whitelist or blacklist processes’ network access.

Firewall
GlassWire

Network monitor and firewall UI; visualizes traffic per app and allows blocking suspicious connections.

Monitoring
Bitvise SSH Client

SSH client with tunnelling and SFTP; wraps traffic in encrypted SSH sessions for remote access and port forwarding.

SSH

3. Messaging and calling

Messengers and sharing tools with strong encryption and varying metadata profiles.

Tools

Signal

End‑to‑end encrypted messaging and calls; uses the Signal Protocol with minimal metadata retention by design.

E2EE
SimpleX

E2EE messaging over independent relays; no global identifiers or contact discovery, each contact uses separate routes.

Metadata‑min
Briar

P2P messenger using Tor, Bluetooth, or LAN; syncs messages directly without central servers.

P2P
qTox

Tox‑protocol client; fully P2P encrypted chats and calls with no central server infrastructure.

P2P
OnionShare

Runs a temporary Tor onion service to share files, chats, or websites anonymously, directly from your machine.

Tor share
Session

Decentralized messenger on the Oxen network; uses Session IDs instead of phone numbers and onion‑routed messages.

Decent.
Matrix / Element

Federated protocol and client; supports E2EE rooms using Olm/Megolm and self‑hosted homeservers.

Federated
XMPP (OMEMO)

Open XMPP chat with OMEMO extension for E2EE; decentralized servers with client‑side encryption.

XMPP
Wire

Team collaboration platform with E2EE messaging and calls; aimed at business and enterprise users.

Collab
Telegram

Cloud messenger; only “Secret Chats” are E2EE, normal chats are server‑stored with weaker OPSEC defaults.

Caution
Keybase (legacy)

Encrypted chat, file store, and identity proofs; largely deprecated but still used by some for key handling.

Legacy

4. Browsing, tracking, and identity separation

Browsers that harden privacy and help keep identities compartmentalised.

Tools

LibreWolf

Firefox fork with hardened privacy defaults; strips telemetry and ships with strong tracking‑protection presets.

Browser
Mullvad Browser

Anti‑fingerprinting browser built with the Tor Project; standardizes fingerprints and pairs well with any VPN.

AF‑resist
Tor Browser

Routes traffic through the Tor network; hides IP and resists tracking at cost of speed and compatibility.

Tor
Chromium

Base for many browsers; default config is not privacy‑hardened and needs manual tweaks and extensions.

Tweak
Vitamin Browser

Mobile‑focused privacy browser; blocks trackers and isolates sites to reduce profiling.

Mobile

5. Comms security and signalling

Voice tools and signalling methods with very different OPSEC properties.

Tools

MicroSIP

SIP softphone; uses your SIP provider’s encryption options (SRTP/TLS) for VoIP, security depends on provider.

VoIP
Disphone

Encrypted VoIP; routes calls through its service with end‑to‑end or transport‑layer encryption (implementation‑dependent).

VoIP
Google Voice

Cloud telephony service; convenient but heavily tied to your Google account and metadata, not OPSEC‑safe for sensitive roles.

Avoid
DTMF (tone dialing)

Old‑school in‑band signaling tones; plain audio on the line, offers no confidentiality by itself.

Legacy

6. Mail, identities, and cloud storage

Where your identities live long‑term: mailboxes and file storage.

Tools

Proton Mail

Encrypted email provider; stores mail with zero‑access encryption and supports PGP for end‑to‑end where used.

Email
Thunderbird

Email client; supports local encryption and integrates with OpenPGP or S/MIME for encrypted mail workflows.

Client
Proton Drive

Encrypted cloud storage; files are encrypted client‑side so Proton sees ciphertext, not your raw data.

Storage
Riseup Email

Collective‑run mail for activists; focuses on minimal logging and political safety rather than mainstream features.

Email
Mail2Tor

Tor‑only anonymous email service; accessible via .onion, designed to hide origin IP but depends on operator’s OPSEC.

Tor mail

7. Virtualisation and cleanup

VMs and system cleaners you can use to compartmentalise and reduce residual traces.

Tools

VirtualBox

Type‑2 hypervisor; runs virtual machines for sandboxed OS environments, useful for risky tasks or identity isolation.

VM
VMware

Virtualization platform; runs multiple OSes as VMs with snapshots, good for testing and compartmentalization.

VM
CCleaner

System cleaner; deletes temp files, history, and cached data—must be used carefully and not relied on alone for privacy.

Cleanup
BleachBit

Open‑source system cleaner and shredder; removes caches and can overwrite free space to reduce simple recovery.

Cleanup

How to use this page

Click any layer above to switch tool sets. Start by hardening devices and passwords, then add network, messaging, and identity separation according to your threat model.

Simple priority order

Lock down devices and password storage first.
Secure your main email and financial accounts.
Separate high‑risk identities onto their own browsers or devices.
Use VMs and cleaners for extra compartmentalisation and trace reduction.

Reminder: even with strong tools, OPSEC fails if you mix identities or leak information in your behaviour.