A plain-English guide to the physical tools, open-source operating systems, and privacy apps that give you genuine sovereignty over your data, communications, and finances. Start anywhere. Go at your own pace.
Start with the SeedSigner Build ↓// Featured Build · Air-gapped Signing Device
The most important piece of hardware for anyone holding Bitcoin seriously. SeedSigner is a completely air-gapped, DIY signing device built from off-the-shelf components totalling around 0. It never touches the internet. Your keys are generated on-device, displayed once as a seed phrase, and never stored the device is stateless by design. Build it yourself so you trust every component.
Commercial wallets are purchased from a known vendor, creating a supply chain record linking you to a signing device. SeedSigner components a Raspberry Pi Zero, a small screen, and a camera are generic electronics sold by thousands of retailers with no Bitcoin association. There is no firmware pre-installed, no vendor to be breached, and no supply chain risk. You verify the software yourself before every use. seedsigner.com ↗
The brains of the device. Version 1.3 is preferred because it has no WiFi or Bluetooth air gap is guaranteed by hardware, not software. The Zero W version works but requires physically disabling the wireless chip. GPIO pins may need soldering if not pre-attached.
Note: Buy from a general electronics retailer not a Bitcoin-specific store. Adafruit, Pi Hut, Pimoroni, or Raspberry Pi Foundation direct.
A 240×240 pixel LCD display with a built-in joystick and three buttons that sits directly on the Pi Zero's GPIO pins no soldering required. Must be the 240×240 model. The controls navigate the SeedSigner menu entirely without a keyboard or mouse.
Note: Double-check the resolution before buying. Wrong models exist on Amazon search "Waveshare 1.3 inch LCD HAT 240x240".
Used to scan QR codes the primary way you load unsigned transactions (PSBTs) into the device and export signed transactions back out to your wallet software. Two styles exist: a generic Pi camera with a gold flex cable, and a smaller "Zero" format camera. Check which your enclosure supports.
Note: Buy the Pi Zero compatible flat-cable version, not the standard Pi camera.
Holds the SeedSigner OS image. Any microSD of 64MB or larger works a cheap 8GB card from a general retailer is fine. You flash the verified SeedSigner image to it before each session. The device is stateless: remove the card and nothing persists.
Tip: Keep a spare blank card. Verifying and reflashing fresh before sensitive use is good practice.
A 3D-printed or CNC-milled case protects the build and makes it genuinely portable. No official vendor choose a seller with good community reputation. The SeedSigner project lists vetted regional suppliers. Australian option: HansMade via ShopBitcoin.com.au.
Purchase the Pi Zero, WaveShare LCD Hat, camera module, and a microSD card from general electronics suppliers (Adafruit, Amazon, AliExpress, Pi Hut). Buying from Bitcoin-specific shops creates a purchasing record. Pay with cash-purchased gift cards or a privacy-focused payment method if supply chain privacy matters to you.
Go to github.com/SeedSigner/seedsigner/releases ↗ and download the latest release image. Verify the SHA256 checksum and PGP signature before flashing. This step is non-negotiable you are trusting this software with key generation.
Use Raspberry Pi Imager ↗ or Balena Etcher ↗ to write the verified image to your microSD card. Takes about two minutes. Eject the card once complete do not modify any files on it.
Attach the WaveShare LCD Hat directly to the GPIO header pins on the Pi Zero (it pushes on no soldering needed if pins are pre-attached). Connect the camera module via the flex cable. Insert the microSD card. Watch the official assembly demo video ↗ for a visual walkthrough.
Power the Pi Zero via its micro-USB port. SeedSigner boots in about 45 seconds. Navigate to Seeds → Generate Seed. You can generate entropy by photographing a random image (dice, coin flips) or via the built-in dice-roll entropy tool. The 12 or 24-word seed phrase is displayed once write it down on paper or stamp it in metal. Never photograph it or type it into any connected device.
SeedSigner communicates with watch-only wallet software (Sparrow Wallet, Specter Desktop, BlueWallet) exclusively via QR codes never via USB, Bluetooth, or WiFi. Your wallet software generates an unsigned transaction, displays it as a QR code, you scan it with SeedSigner, sign it on the device, and scan the signed QR back. The private key never leaves the device. Resources: Sparrow Wallet ↗ · SeedSigner explainers ↗
SeedSigner is stateless. When you power off, all seed data in memory is destroyed. Nothing is stored on the microSD card or the device itself. For your next session: power on, re-enter your seed (manually or via QR backup), sign, power off. This is the security model no persistent storage means nothing to steal.
seedsigner.com ↗ · GitHub source code ↗ · Official FAQ ↗ · Sparrow + air-gapped signing guide ↗
// Encrypted Storage · PIN-Protected USB Drives
These drives encrypt everything in hardware no software, no driver, no computer involved in unlocking. You enter your PIN directly on the device's physical keypad. If someone steals it or brute-forces the PIN, it crypto-erases itself. FIPS 140-3 Level 3 is the gold standard the same certification used by US government and military.
Software encryption (like BitLocker or VeraCrypt) runs on your computer meaning it's vulnerable to keyloggers, cold-boot attacks, and malware running on the host. Hardware-encrypted drives handle all cryptography inside a dedicated secure element on the drive itself. The host computer only ever sees already-encrypted data. No PIN entered on your computer = no keylogger risk.
Physical alphanumeric keypad on the drive itself PIN never touches your computer. XTS-AES 256-bit hardware encryption. Brute force protection auto-erases after too many wrong attempts. BadUSB protection via digitally signed firmware. OS-independent works with any computer, phone, or tablet with USB.
Why it matters: FIPS 140-3 Level 3 is among the highest security certifications available. The epoxy-potted circuit board makes chip-level tampering virtually impossible.
Aluminium-encased, IP58-rated waterproof and dustproof USB drive with a 10-key onboard keypad. 256-bit AES XTS hardware encryption. No software required ever. Admin + user PIN modes. Auto crypto-erase on brute force. One of the most physically durable encrypted drives available.
Why it matters: Field-deployable, survives being dropped, submerged, or compressed. A field journalist or researcher's best option for encrypted portable storage.
PIN-protected hardware-encrypted USB drive with FIPS 140-2 Level 3, NATO Restricted, and NLNCSA DEP-V certification the only consumer USB drive approved for NATO classified data. Onboard keypad, XTS-AES 256-bit, auto-lock on removal, brute force protection.
Why it matters: If NATO trusts it with classified material, it's good enough for your seed backups, legal documents, or private keys.
A PIN-protected portable SSD in capacities up to 8TB. Same Apricorn security model as the Secure Key hardware AES 256-bit, physical keypad, no software but with full SSD performance and much more space. Ideal for encrypted backup drives of an entire Bitcoin node's blockchain data or sensitive archive storage.
Why it matters: Large encrypted storage with no software dependency. Back up your entire node, your encrypted documents, and your operational files on one drive that self-destructs if tampered with.
Combine a standard USB with TailsOS (see section below) with a PIN-protected Apricorn or Kingston drive for your persistent encrypted volume. TailsOS provides the amnesic operating system; the IronKey or Aegis provides tamper-proof, hardware-encrypted offline storage for your keys, documents, and configuration. Together they give you a completely portable, hardware-protected, amnesic computing environment.
// Operating System · Amnesic Live OS
Tails is a live operating system you boot from a USB stick. It routes all traffic through Tor, leaves no trace on the computer you run it on, and is used by journalists, whistleblowers, activists, and security researchers worldwide. Developed by the Tor Project and Debian. Open source, free, and audited.
Amnesic: Tails forgets everything when you power off. No browser history, no files, no connection logs remain on the host machine. Tor-first: Every network connection is routed through Tor your IP address is never exposed. Encrypted persistence: Optional you choose what survives reboots in an encrypted volume.
1. Download the Tails image from tails.boum.org and verify its cryptographic signature. 2. Flash it to a USB stick (8GB minimum) using Balena Etcher or the Tails USB installer. 3. Boot your computer from USB (hold Option on Mac, press F12/Del on PC during startup). 4. Tails boots in ~30 seconds.
Tails works best on a fast USB 3.0 or USB 3.1 stick. Samsung FIT Plus, SanDisk Ultra Fit, or any USB 3.0 drive of 16GB+ works well. Speed matters a slow drive makes Tails noticeably sluggish. Avoid USB 2.0 drives. Keep a second USB for encrypted backup of your Tails persistent volume.
Tor Browser · Thunderbird (encrypted email) · KeePassXC (passwords) · OnionShare (secure file transfer) · Electrum Bitcoin wallet · LibreOffice · GnuPG · Metadata Cleaner · MAT2 (metadata stripping) · Kleopatra (PGP) · and more. Everything you need for private, secure computing.
Journalists protecting sources · Whistleblowers · Activists in high-risk environments · Anyone transacting or managing keys on untrusted hardware · Legal professionals with privileged communications · Anyone wanting to use a shared or hotel computer without leaving any trace. Also works as an air-gapped signing environment.
// Bitcoin Wallet Software · Desktop
Sparrow is the best desktop Bitcoin wallet for anyone who values sovereignty, privacy, and understanding what their wallet is actually doing. It is fully open source, Bitcoin-only, and works with every major hardware signing device including SeedSigner, Coldcard, Jade, and Passport. It runs on Windows, Mac, and Linux, and installs cleanly on TailsOS.
Most wallets hide what is happening under the hood. Sparrow shows you everything: the full transaction, every input and output, the fee rate, the script type, and the PSBT (Partially Signed Bitcoin Transaction) data your signing device receives. It is designed for people who want to understand Bitcoin, not just use it.
Key features: Full PSBT support for air-gapped hardware wallets, built-in Tor, coin control, transaction labelling, CoinJoin via Whirlpool, multisig, watch-only wallets, connects to your own node.
Sparrow lets you choose how it connects to the Bitcoin network. Each step up improves your privacy significantly. Start with a public server if you are new, then graduate to your own node when you are ready.
1. Public server (easiest, least private) connects to Blockstream or other public Electrum servers via Tor. 2. Bitcoin Core on your own machine. 3. Your own Electrum server (Fulcrum or Electrs) behind your own node for full sovereignty.
Sparrow is the recommended companion app for most open-source signing devices. It speaks the PSBT standard natively, which means every interaction with an air-gapped device is done via QR code or SD card, never via a live USB connection if you choose air-gap mode.
Works with: SeedSigner (QR), Coldcard (SD card / QR), Blockstream Jade (USB or QR), Foundation Passport (QR), Keystone, Trezor, and more.
TailsOS does not persist installed software between sessions by default. The method below installs Sparrow into the TailsOS persistent storage so it survives reboots. Use this for a watch-only wallet or for managing UTXOs and labels. Do not store a seed phrase in Sparrow on Tails unless you fully understand the security tradeoffs. Use your SeedSigner or Jade for key storage.
You need a TailsOS USB with Persistent Storage already set up and unlocked. If you have not done this yet, boot into Tails, go to Applications → Tails → Persistent Storage, and follow the setup wizard. You also need an internet connection (Tails will use Tor automatically).
In Tails, open Applications → Tails → Persistent Storage and make sure these are enabled: Personal Documents (gives you the ~/Persistent folder), and Dotfiles (saves hidden config files between sessions). Optionally enable Network Connections if you want your WiFi/Tor settings saved too. Restart Tails and unlock Persistent Storage on the welcome screen.
Open Tor Browser in Tails and go to sparrowwallet.com/download. Download the Linux Standalone version for your CPU (Intel/AMD = x86_64, Raspberry Pi or Apple Silicon = aarch64). The file will be named something like sparrow-2.x.x-x86_64.tar.gz. Do not download the .deb installer version as it cannot be persistently installed in Tails.
On the download page, Sparrow provides a manifest file and a PGP signature. Verify them before running anything. In a Tails terminal: download the manifest and signature files, import Craig Raw's signing key (gpg --keyserver keyserver.ubuntu.com --recv-keys D4D0D3202FC06849A257B38DE94618334C674B40), then run gpg --verify sparrow-*.tar.gz.asc sparrow-*.tar.gz. You should see "Good signature". If not, delete the file and re-download.
Open a terminal (Applications → Utilities → Terminal) and run:
mkdir -p ~/Persistent/Apps/Sparrow/data
Then extract the downloaded tarball into that folder:
tar -xzf ~/Downloads/sparrow-*.tar.gz -C ~/Persistent/Apps/Sparrow/
This puts the Sparrow application files in your persistent storage so they survive reboots.
Run Sparrow and tell it to use your persistent folder for its wallet data so settings and labels survive reboots:
~/Persistent/Apps/Sparrow/bin/Sparrow --dir ~/Persistent/Apps/Sparrow/data
Sparrow will open. On first launch it will ask you to configure a server connection. Choose Private Electrum or Public Server depending on whether you have your own node. Enable Tor in the server settings (Tails routes everything through Tor anyway, but enabling it in Sparrow adds an extra layer).
To avoid typing the full command every session, create a small shell script in your dotfiles. In terminal:
mkdir -p ~/.local/bin
echo '#!/bin/bash' > ~/.local/bin/sparrow
echo 'exec ~/Persistent/Apps/Sparrow/bin/Sparrow --dir ~/Persistent/Apps/Sparrow/data "$@"' >> ~/.local/bin/sparrow
chmod +x ~/.local/bin/sparrow
Now you can launch Sparrow from the terminal by simply typing sparrow. Because Dotfiles persistence is enabled, this script will survive reboots.
For SeedSigner: in Sparrow, go to File → New Wallet, choose Air-gapped Hardware Wallet, select SeedSigner, and follow the QR code pairing process. Your SeedSigner exports an xpub via QR code; Sparrow imports it as a watch-only wallet. To sign a transaction, Sparrow generates a PSBT QR, you scan it on SeedSigner, sign it, and scan the result back. For Jade: connect via USB or use the QR air-gap mode. Sparrow will detect it automatically.
When a new version of Sparrow is released, download the new standalone tarball, verify it, delete the old folder inside ~/Persistent/Apps/Sparrow/bin, and extract the new version in its place. Your wallet data and settings in ~/Persistent/Apps/Sparrow/data are untouched. sparrowwallet.com/download ↗
// Bitcoin Key Security · Hardware Wallets
Hardware wallets store your private keys in a secure chip, sign transactions without ever exposing the key to your computer. For most people who don't want to build a SeedSigner, a commercial hardware wallet is the right choice. Here's how they compare.
Never buy a hardware wallet from a third-party marketplace like Amazon or eBay. Wallets can be tampered with in transit or arrive pre-seeded with someone else's seed phrase. Only buy from the manufacturer's official website. Verify the tamper-evident packaging is intact on arrival. If the seed phrase is already written down in the box, the device is compromised return it immediately.
| Device | Open Source? | Screen | Best For | Link |
|---|---|---|---|---|
| SeedSigner DIY build · ~0 |
✓ Fully open source hardware + firmware | Colour LCD | Maximum sovereignty. Stateless forgets keys on power off. No supply chain risk. Recommended. | seedsigner.com ↗ |
| Coldcard Mk4 ~50 USD |
✓ Open source firmware | Monochrome OLED | Advanced users. Duress PIN, brick-me PIN, fully air-gappable via SD card. No USB required for signing. | coldcard.com ↗ |
| Blockstream Jade Plus ~$79 USD |
✓ Fully open source hardware + firmware | 1.9" colour screen | Best beginner-to-intermediate option. Camera for QR air-gapped signing. USB-C, Bluetooth, or SD card. Duress PIN. Pairs with Sparrow, Blockstream Green, BlueWallet. Available on Amazon. | Jade Plus on Amazon ↗ blockstream.com/jade ↗ |
| Foundation Passport ~99 USD |
✓ Open source hardware + firmware | Colour screen | Open hardware. Camera for QR signing. Replaceable batteries. Bitcoin-only focus. | foundationdevices.com ↗ |
// Mobile Security · Multisig · NFC Signing
Most people think multisig is complicated. Nunchuk makes it genuinely usable on a phone. TAPSIGNER by Coinkite is a Bitcoin private key on a credit-card-sized NFC card you tap to sign. Together they are the most practical path to mobile multisig security available today.
Nunchuk is a Bitcoin-only wallet built from the ground up for multisig. Where other apps treat multisig as a hidden advanced feature, Nunchuk treats it as the default. You set up a wallet with multiple keys (2-of-3 is most common), and any transaction requires approval from two of them. Your keys can be a mix of hardware wallets, TAPSIGNER cards, and a Nunchuk software key. The app is open source and collects no identifying information beyond an optional email address. It holds no keys itself.
Why it matters: Single-key Bitcoin storage has one catastrophic failure mode: whoever gets that key gets your funds. Multisig eliminates single points of failure. Nunchuk makes this achievable without a laptop or technical expertise. It secured over $1 billion in Bitcoin as of 2025.
A Bitcoin private key embedded in a credit-card-sized NFC card with a secure element chip. You tap it to your phone to sign transactions. It has no screen, no battery, and no USB port. Your phone (via Nunchuk or Sparrow) handles the wallet logic; TAPSIGNER holds the keys and never exposes them. PIN-protected. Ships with an RF-blocking sleeve to prevent unauthorised NFC reads. Backed by Coinkite, the same team behind Coldcard.
Why it matters: At $40 it is the most affordable hardware signing device available. The card form factor means it lives in your wallet. It makes multisig accessible as a second or third key without carrying a dedicated hardware wallet device.
A multisig wallet requires more than one private key to authorise a transaction. In a 2-of-3 setup you have three keys, and any two of them can sign. If one key is lost, stolen, or destroyed you are not locked out. If an attacker gets one key they still cannot spend your funds. This eliminates the single biggest risk in Bitcoin self-custody: one device, one backup, one catastrophic loss.
Common setups: 2-of-3 (most common), 3-of-5 (for larger holdings). Keys can be spread across locations, devices, and people (collaborative custody). Wallet configuration file (descriptor) must be backed up separately from the keys.
This is a practical 2-of-3 setup using three keys: a Nunchuk software key on your phone, a TAPSIGNER card, and a Blockstream Jade hardware wallet. Any two of the three can sign. You need all three key backups and the wallet descriptor to recover.
Download Nunchuk from the App Store or Google Play. Open the app and go to Keys at the bottom. Tap the + button and select Software Key. Nunchuk will generate a seed phrase. Write it down on paper and store it in a different physical location from your TAPSIGNER and Jade. This is Key 1.
In Nunchuk, go to Keys, tap + and select NFC. Prepare a PIN you will remember (minimum 6 characters). Hold your TAPSIGNER against the back of your phone until the app detects it. Follow the prompts to initialise the card and set your PIN. Nunchuk will import the TAPSIGNER's extended public key. The private key never leaves the card. Store the TAPSIGNER in its RF-blocking sleeve when not in use.
Connect your Blockstream Jade via USB or use QR code mode. In Nunchuk, go to Keys, tap + and select Hardware Wallet. Follow the on-screen pairing process. Nunchuk will import the Jade's xpub. This becomes your third key, ideally stored in a different location from the TAPSIGNER and software key backup.
Go to Nunchuk's home screen and tap the + button. Select Custom Wallet. Give it a name. On the next screen, assign all three keys you just added. Set Required keys to 2 (meaning 2-of-3 must sign). Select your preferred address type (Native SegWit or Taproot). Tap Create Wallet.
After the wallet is created, Nunchuk will prompt you to back up the Wallet Configuration (also called the descriptor or wallet backup file). This file defines the multisig policy and lists all three xpubs. Without it, you cannot reconstruct the wallet even if you have all three seed phrases. Export it and store it in at least two separate locations. Do not store it with any single key.
Go to the wallet's Receive tab. Verify the deposit address on at least one hardware device (Jade or, if you have a way, cross-check with Sparrow). Send a small test amount first. Confirm it arrives, then try spending it to verify your signing workflow works before depositing larger amounts.
When you want to send Bitcoin, create the transaction in Nunchuk. You will need signatures from 2 of your 3 keys. Sign with the TAPSIGNER by tapping it to your phone when prompted (enter your PIN). Sign with Jade by connecting it or scanning the QR code. The transaction broadcasts automatically once enough signatures are collected. If either device is unavailable, use the software key and whichever device you do have access to.
TAPSIGNER ships with an RF-blocking sleeve. Insert it fully: even 5mm sticking out can allow a nearby NFC reader to get a signal. Store it separately from the device you use to sign. If you lose your TAPSIGNER PIN you cannot access the key on that card. The backup is encrypted and requires the PIN to decrypt. Treat the card as you would a small hardware wallet: do not lend it, do not lose it, and do not expose it to strong magnetic fields. TAPSIGNER has no screen, so you rely entirely on Nunchuk to display transaction details. Always verify addresses on a device with a screen (Jade) before signing high-value transactions. Reference: tapsigner.com/faq ↗
// Bitcoin Infrastructure · Full Nodes
A Bitcoin full node independently downloads and validates every transaction and block it doesn't trust anyone else's interpretation of the chain. Running your own node means your wallet queries your node, not a third-party server. No one knows your addresses, your balance, or your transaction history. You verify the rules for yourself.
Storage: Bitcoin's blockchain is ~650GB and growing you need at least 1TB SSD. RAM: 4GB minimum, 8GB recommended. Connection: Stable broadband with upload bandwidth (your node will serve data to others). Time: Initial block download (IBD) takes 2 5 days. After sync, it runs quietly in the background.
Intel N100, 16GB RAM, 2TB NVMe. The most polished node experience app store UI in a browser, installs Bitcoin Core, Lightning, and dozens of other self-hosted apps in one click. Good for beginners who want something that just works.
Software: Umbrel OS · Connectivity: Tor built-in
umbrel.com ↗AMD Ryzen 7, 16GB RAM, 2TB NVMe. Runs StartOS the most sovereignty-focused node OS. Strict app isolation. Strong privacy defaults. For users who want maximum control and are comfortable with a steeper learning curve.
Software: StartOS (open source) · Focus: Sovereignty, app isolation
start9.com ↗The most transparent and configurable node software. Runs on a Raspberry Pi 4/5 with an SSD. SSH-based interface. As of v1.12.0 (Sep 2025) can boot entirely from NVMe microSD only needed for initial install. Best for users who want to understand exactly what's running.
Hardware: Raspberry Pi 4/5 + 1TB SSD · Licence: MIT
raspiblitz.org ↗Install Umbrel OS on any Raspberry Pi 4/5 (4GB+ RAM) or x86 machine. Flash the image to a microSD, attach a 1TB+ SSD, connect ethernet, and you have a full node with a clean browser UI. Recommended for beginners building their own hardware.
Hardware: Raspberry Pi 4/5 or any 64-bit PC · Cost: ~00 150 in parts
umbrel.com/install ↗The reference implementation no wrapper software, no app store, just Bitcoin. Install on any machine running Linux, Windows, or macOS. Combine with Tor for privacy. Steepest learning curve but the most auditable setup possible. Every other node software is built on top of this.
Hardware: Any computer with 1TB+ storage · Licence: MIT
bitcoin.org full node guide ↗A fully open-source fork of Umbrel with GNU AGPL licensing (unlike Umbrel's non-commercial PolyForm licence). Strict app isolation, Raspberry Pi 5 optimised, community-funded. A good choice for those who need a genuinely open-source node stack without commercial restrictions.
Licence: GNU AGPL · Hardware: Raspberry Pi 5 (4GB+)
runcitadel.space ↗Raspberry Pi 5 (8GB RAM) ↗ · 1TB+ USB 3.0 SSD ↗ · Pi 5 case with active cooling ↗ · node.guide full setup walkthroughs ↗
// Private Communications · Apps
The hardware is only half the picture. The apps you use for messaging, social media, and browsing determine how much of your life is exposed. These are the open-source, privacy-respecting alternatives to mainstream platforms.
The gold standard for private messaging. End-to-end encrypted by default for every message and call. Open source. Collects almost no metadata. Used by journalists, lawyers, politicians, and security professionals worldwide. Disappearing messages add an extra layer.
signal.org ↗A protocol not a platform for decentralised social media. Your identity is a cryptographic keypair, not an account on someone's server. No central point of control, no deplatforming, no algorithm. Posts (notes) are signed with your private key and broadcast to relays. Client apps: Damus (iOS), Amethyst (Android), Snort (web).
nostr.com get started ↗Routes your web traffic through three encrypted relays so websites can't see your real IP address and your ISP can't see what you're visiting. Pre-installed in TailsOS. Essential for any sensitive research or browsing. Also available as a standalone app for Windows, Mac, Linux, and Android.
torproject.org download ↗End-to-end encrypted email hosted in Switzerland, outside US/UK/Five Eyes jurisdiction. Zero-knowledge Proton cannot read your emails. Open source. Free tier available. Pair with ProtonVPN for encrypted browsing. Also offers Proton Drive (encrypted cloud storage) and Proton Calendar.
proton.me ↗Open-source, end-to-end encrypted password manager. Self-host it on your own server, or use Bitwarden's cloud with zero-knowledge encryption. Works with YubiKey for hardware 2FA. Free for individuals. The only password manager whose entire codebase is publicly auditable.
bitwarden.com ↗The most private messenger available. Unlike Signal (which requires a phone number), SimpleX has no user identifiers at all no phone number, no username, no account. Connections are established via one-time QR codes. End-to-end encrypted. Cannot be compelled to produce user records because none exist.
simplex.chat ↗Built jointly by Mullvad VPN and the Tor Project. Designed to minimise browser fingerprinting without requiring Tor (though it works with it). No telemetry, no account required, blocks trackers by default. A good daily driver if Tor Browser's speed is limiting for normal browsing.
mullvad.net/browser ↗A self-custodial Lightning wallet that connects directly to your own node (LND, Core Lightning, Eclair). No custodian, no KYC, no third-party server between you and your funds. Open source. Android and iOS. The right mobile wallet for anyone running their own node.
zeusln.com ↗// Everyday Gear · Start Here
You don't need a lab full of advanced tools. These five items are the highest-impact, lowest-effort security upgrades available and anyone can use them.
Plug into any hotel or public WiFi and it creates your own private encrypted network. Runs open-source OpenWRT firmware. Supports WireGuard and OpenVPN out of the box. The Mango (~5) is the budget pick; Slate AX (~19) offers WiFi 6 speed.
Why it matters: Hotel and café WiFi are common attack surfaces. This puts a hardware firewall between you and them protecting every device you connect.
A physical key you tap to log in. Even if your password is stolen, attackers can't get in without the physical device in hand. Works with Google, Microsoft, GitHub, Proton, Bitwarden, and thousands of services. FIDO2 and passkey support. The single highest-impact security upgrade for most people.
Blocks all wireless signals to a device inside WiFi, Bluetooth, NFC, GPS, cellular. Drop your car keys in one to block relay theft (one of the fastest-growing vehicle theft methods). Drop your phone in one when you need genuine privacy. Under 5 for a quality pouch.
Sits between your cable and any public USB charging port. Passes power through but physically blocks the data pins nothing can be transferred to or from your device. Essential for airport, hotel, and café charging points.
Makes your laptop or phone screen appear black to anyone not directly in front of it. Prevents shoulder surfing in planes, trains, cafés, and open offices. Essential for anyone handling sensitive work in public. Fits over your existing screen no installation tools needed.
