Keeping Your Data Safe
Last Reviewed: July 22, 2024
Your computers—including laptops, cell phones, tablets, and other devices—carry massive amounts of data . Your social contacts, private communications, financial and medical documents, photos are just some of the things on your devices that you want to keep safe.
Your device can be seized at the border or by law enforcement, picked up when accidentally left behind at a coffee shop, or burgled from your house—and once it’s in other hands, your data can be quickly copied. Unfortunately, locking your device with passwords, PINs, or biometrics may not protect your data if the device itself is seized. Depending on the type of device and how the data is stored on it, it may be relatively easy to bypass those ways of locking the device.
With that said, you can make it harder for those who physically steal your device to unlock its secrets. Here are a few ways you can help keep your data safe.
Encrypt Your Data
If you use encryption , your adversary needs both your device and your password (or some way to access your biometrics, like face or fingerprint ) to unscramble the encrypted data. Therefore, it's safest to encrypt all of your data, not just a few folders. Most smartphones and computers offer complete, full-disk encryption as an option.
For smartphones and tablets:
- Android offers full-disk encryption on newer devices when you first set up your device, or anytime afterwards under its “Security” settings for all devices. Older devices may not have this option on by default, so it’s best to check under the “Security” settings.
- Apple devices such as the iPhone and iPad describe full-disk encryption as “Data Protection” and turn it on by default when you set a passcode on your device when setting it up. Apple also offers "Advanced Data Protection," which extends that protection to the data you store in iCloud. We have a guide for setting that up here.
For computers:
Most operating systems, including Windows, macOS, and popular Linux distributions, include some form of full-disk encryption. Head over to our guide for setting it up for your operating system of choice here.
Note that in the case of Windows and macOS, you are inherently trusting Microsoft and Apple respectively. If you are concerned about surveillance from actors who'd potentially have access to secret tools or backdoors then consider an alternative open-source operating system that has been hardened against security attacks, such as Tails or Qubes OS. Alternatively, consider installing an alternative disk encryption software, Veracrypt, to encrypt your hard drive.
Remember: Whatever your device calls it, encryption is only as good as your password. If an adversary has your device, they have all the time in the world to figure out your passwords. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase .” A “passphrase” is a type of password that is longer for added security. For disk encryption we recommend selecting a minimum of six words. Check out our guide to Creating Strong Passwords for more information.
Still, while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by adversaries, or cordoned away on a much more secure device.
Create a Secure Device
Maintaining a secure environment can be hard. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, you may not be able to employ solutions because sometimes people with whom you need to communicate use less secure digital security practices. For instance, work colleagues might want you to open email attachments from them, even though you know your adversaries could impersonate them and send you malware .
So what’s the solution?
Consider cordoning off valuable data and communications onto a more secure device. You can use the secure device to keep the primary copy of your confidential data. Only use this device occasionally and, when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.
An extra, secure computer may not be as expensive an option as you think. Remember: this likely isn't going to be your everyday machine. It's a computer that is seldom used, and only runs a few programs, so does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.
Some general advice is almost always true: when you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older operating systems may no longer be supported, even for security updates.
When Setting up a Secure Computer, What Steps Can You Take to Make it Secure?
- Keep your device well-hidden: Store it somewhere where you are able to tell if it has been tampered with, such as a locked cabinet (and don’t discuss its location).
- Encrypt your computer’s hard drive: As noted above, use a strong passphrase so that if it is stolen, the data will remain unreadable without the passphrase.
- Install a privacy—and security—focused operating system like Tails or Qubes: Although either of these options can be an intimidating change from the operating systems you might normally be used to, using either one for simply storing, editing, and writing confidential information will be much easier than if you were to default to them for all your regular activities.
- Keep your device offline: Unsurprisingly, the best way to protect yourself from internet attacks or online surveillance is to never connect to the internet. You could make sure your secure device never connects to a local network or Wi-Fi and only copy files onto the machine using physical media, like USB drives or DVDs. In network security, this is known as having an “air gap ” between the computer and the rest of the world. While extreme, this can be an option if you want to protect data that you rarely access, but never want to lose (such as an encryption key , a list of passwords, or a backup copy of someone else's private data that has been entrusted to you). Or, an encrypted USB key kept safely hidden can be a simpler solution if you only need to store sensitive data.
- Don’t log in to your usual accounts: If you do use your secure device to connect to the internet, create separate web or email accounts that you use for communications from this device, and use Tor (see guides for Linux, macOS, Windows, and smartphones) to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity and this particular machine.
While having one secure device that contains important, confidential information may help protect it, it creates an obvious target. There’s also a risk of losing the only copy of your data if the machine is destroyed. If your adversary would benefit from you losing all your data, don't keep it in just one place—no matter how secure. Encrypt a copy and keep it somewhere else.
A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when going into a dangerous place or attempting a risky operation. Many journalists and activists, for instance, take a basic netbook with them when they travel. This computer does not have any of their documents or usual contact or email information on it so there’s minimal loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or "burner phone " when traveling for specific communications.
 
      