Secure laptop: hardware, OS and settings explained
Which laptop to choose for privacy, which OS fits, and how to configure it. A complete guide from hardware to daily use.
Secure laptop: hardware, OS and settings explained
A secure laptop doesn’t start with software — it starts with hardware. Not all laptops are equal. Get the hardware right, and the OS does the rest.
This guide walks through the whole stack: which laptop, which OS, which settings, and how that translates to daily use.
Why your laptop is a problem
Standard laptops (Windows, macOS) are built for convenience, not privacy:
- Windows sends diagnostic data to Microsoft. Cortana, telemetry, advertising ID — on by default.
- macOS is closed-source. Apple encrypts your disk, but they hold keys for their own systems. iCloud integration is everywhere.
- Firmware — the code that runs before the OS — is closed and unverifiable on most laptops.
For the average user, the risk is manageable. For someone who takes privacy seriously, it’s a problem.
Hardware: which laptop to choose
What makes hardware “secure”?
Three criteria:
1. Open firmware support Laptops that support Coreboot — open-source firmware instead of closed BIOS — are more transparent. You can verify what runs before the OS.
2. Linux compatibility Not every laptop works well with Linux. Wi-Fi drivers, touchpad, suspend — some manufacturers only ship Windows drivers.
3. Repairability and transparency Hardware you can open, upgrade, and inspect yourself. Framework and ThinkPad are the standard here.
Recommended hardware
ThinkPad (Lenovo) — best overall choice
ThinkPads are the standard in the Linux world. Good driver support, solid build quality, easy to open and upgrade. Refurbished ThinkPads are affordable and well-tested.
Recommended models:
- ThinkPad X1 Carbon — light, long battery, excellent Linux support
- ThinkPad T-series (T480, T490, T14) — solid, expandable, cheap refurbished
- ThinkPad X230 — old but fully Coreboot-supported, popular in the security community
Buy refurbished: a ThinkPad T480 with 16GB RAM and SSD can be found for €200-300. Does everything you need.
Framework Laptop — best for repairability
Framework is modular: screen, battery, ports, keyboard — all user-replaceable. Good Linux support, transparent company.
More expensive than a refurbished ThinkPad, but you’re buying something that lasts ten years.
System76 — Linux-first manufacturer
American company selling laptops with Linux pre-installed. Hardware specifically tested with their own Pop!_OS. Higher price, but you have a working system out of the box.
What to avoid:
- Cheap Chromebooks with closed firmware
- Gaming laptops (poor battery life, Windows-dependent GPU drivers)
- Surface laptops (closed hardware, poor Linux support)
Choosing an OS
The main choice: which Linux distribution?
See the Linux distro guide for a full comparison. Short version:
For beginners:
- Linux Mint — closest to Windows feel, stable, good hardware support
- Ubuntu — large ecosystem, lots of documentation, easy installation
- Pop!_OS — good for gaming and new hardware, made by System76
For privacy and security:
- Fedora — cutting-edge, strong SELinux integration, backed by Red Hat
- Debian — stable, minimalist, long support cycles
- Tails — everything via Tor, no traces on disk, for temporary anonymous use
- Whonix — virtual machines for compartmentalisation, for advanced users
For advanced use:
- Arch Linux — maximum control, minimal installation, lots of work
- NixOS — reproducible configuration, declarative system
→ Start with Linux Mint or Fedora if you’re new. Move to Debian or Fedora for more control.
Installation: what to get right
Enable full-disk encryption
This is the most important thing. Without disk encryption, anyone who gets your laptop — a thief, customs officer, colleague — can read your files.
During installation, every major distro offers this. Always say yes.
Linux Mint / Ubuntu: Check “Encrypt the new Ubuntu installation for security” during installation.
Fedora: Choose “Encrypt my data” in the installation wizard.
The system will ask for a password before loading the OS on every boot. This is normal and correct.
→ Always enable this. No exceptions.
Secure the BIOS/UEFI
Set a BIOS password. This prevents someone with physical access from booting from a USB stick to bypass encryption.
Also enable Secure Boot if your distro supports it (Fedora and Ubuntu do by default).
Encrypt swap
If you use swap space (virtual memory), make sure it’s encrypted too. Otherwise sensitive data — passwords, documents — can end up in plaintext on disk.
With full-disk encryption during installation, this is usually automatic. Verify it:
cat /proc/swaps
lsblk -fIf swap isn’t encrypted: use cryptsetup or disable swap if you have enough RAM.
After installation: settings
Enable the firewall
sudo ufw enable
sudo ufw statusUFW (Uncomplicated Firewall) is off by default on many distros. Turn it on. Default settings block incoming connections and allow outgoing.
Enable automatic updates
Security updates need to arrive fast. On Ubuntu/Mint:
Settings → Software & Updates → Updates → Security updates → Install immediately
On Fedora:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timerVerify encryption status
lsblk -fLook for crypto_LUKS in the TYPE column. If it’s there, the partition is encrypted.
Install a password manager
Use KeePassXC — open-source, local storage, no cloud.
sudo apt install keepassxc # Ubuntu/Mint
sudo dnf install keepassxc # FedoraOr Bitwarden if you want sync across devices.
Privacy settings per distro
Disable telemetry
Ubuntu: Ubuntu sends crash reports to Canonical.
Settings → Privacy → Diagnostics → Never send
Or via terminal:
sudo apt purge ubuntu-report popularity-contest apport apport-gtkFedora: Fedora asks during installation whether you want to send anonymous statistics. Say no. If already installed:
sudo dnf remove abrtLinux Mint: No telemetry by default. Nothing to do.
Set privacy-focused DNS
Same as with GrapheneOS: your provider’s default DNS sees all your lookups.
Set Quad9 or Mullvad via Settings → Network → [connection] → DNS → Automatic → Off → enter: 9.9.9.9
Or use systemd-resolved for DNS-over-TLS:
sudo nano /etc/systemd/resolved.confAdd:
DNS=9.9.9.9
DNSOverTLS=yessudo systemctl restart systemd-resolvedBrowser: the most important daily tool
Firefox (hardened)
Firefox is the standard choice. But default Firefox has telemetry and some privacy issues.
Recommended changes in about:config:
| Setting | Value | Reason |
|---|---|---|
privacy.resistFingerprinting | true | Makes browser fingerprinting harder |
network.cookie.cookieBehavior | 1 | Blocks third-party cookies |
geo.enabled | false | No location access |
media.peerconnection.enabled | false | Prevents WebRTC IP leak |
browser.send_pings | false | Disables hyperlink auditing |
Extensions:
- uBlock Origin — ad and tracker blocker, essential
- LocalCDN — replaces CDN requests locally
- ClearURLs — strips tracking parameters from URLs
Mullvad Browser
Made by the Mullvad team together with the Tor Project. Hardened Firefox with fingerprint protection built in. No telemetry. Good alternative if you don’t want to configure Firefox yourself.
Download at mullvad.net/browser.
Tor Browser
For anonymous browsing. Slow but effective. See the VPN guide for when Tor is the right choice.
Safe use in practice
Keep the disk locked
Lock the screen when you step away. Set auto-lock to 2-5 minutes.
GNOME: Settings → Privacy → Screen Lock → Lock after 2 minutes
On a cold boot (restart), the system is in its strongest encryption state — similar to BFU on GrapheneOS.
Webcam and microphone
Put a webcam cover on the camera when not in use. Cheap, effective, and a clear signal that you’re serious.
Check which apps have microphone access in your system settings.
No unknown USB devices
USB drives from unknown sources: don’t plug them in. USB attacks (BadUSB) are real.
If you want to inspect a found USB drive: do it in an isolated VM, not on your main system.
Going further
If you want more isolation:
- Use Qubes OS — an OS built around compartmentalisation via virtual machines. Every task in its own VM. Complex, but the most secure option available for laptop use.
If you want Tor by default:
- Tails — a live OS you run from USB. Leaves no traces on the computer. Ideal for sensitive tasks.
If you need PGP:
- See the PGP guide for encrypted email and file exchange.
Summary
| Windows | macOS | Linux (hardened) | |
|---|---|---|---|
| Telemetry | Heavy | Moderate | None (distro-dependent) |
| Disk encryption | Optional (BitLocker) | Default | Default at installation |
| Open-source | No | Partial | Fully |
| Firmware control | None | None | Possible (Coreboot) |
| Privacy control | Limited | Limited | Full |
A secure laptop isn’t a one-time action — it’s a combination of hardware you can trust, software you can inspect, and habits that protect your data.
See also:
- Which Linux distro to choose?
- From Windows to Linux
- VPN: what it does and doesn’t do
- PGP: encrypted communication
- Bitwarden review — recommended password manager
- KeePassXC review — offline alternative
- Tails OS review — amnesic OS on USB
- iStorage datAshur Pro review — encrypted USB storage
- Browser comparison: Firefox, Brave and Tor — choosing a privacy browser
- USB fingerprint scanner review — biometric login on desktop or older laptop