Profile: high risk and full OpSec
This is the heaviest base profile. You operate in an environment where a mistake can have serious legal, physical or personal consequences and full OpSec is required.
Profile: high risk and full OpSec
This article is for people where digital mistakes can have serious personal, legal, or physical consequences. Think: people living under authoritarian governments, whistleblowers exposing state secrets, people who are being seriously threatened or surveilled, or anyone in an active legal conflict where digital evidence plays a role.
Who this profile is for
This profile is for people whose risk is not theoretical. It fits readers who may face:
- targeted surveillance by a state, employer, or organised adversary
- serious legal, physical, or personal consequences after one digital mistake
- a real need for compartmentalisation across identities, devices, and contacts
This is not a beginner article. The previous profiles are the foundation. This article builds on them.
Honesty first: No system is perfect. OpSec is a practice, not a destination. The question is not “am I 100% safe?” — that question has no answer. The question is: “am I making it expensive enough for my adversary?”
Use this only as your base profile when your situation genuinely requires compartmentalisation, minimal footprint and protection against advanced targeted adversaries.
Do not use this profile as an escalation path because you want to be “even more privacy-friendly.” This is for situations where the extra friction, isolation and social consequences are genuinely justified by the risk.
The difference from lower risk
At lower risk levels, it’s about protection against automated, mass threats. At high risk, it’s about targeted, sophisticated attacks — an adversary who is specifically looking for you and has resources to invest in that.
That changes the model fundamentally:
- One weak link is enough to undermine the entire system
- Metadata is just as dangerous as content
- Physical security is just as important as digital security
- Social engineering (manipulating people) is more effective than technical attacks
What you gain, and what it costs
If you apply this profile seriously, you typically gain:
- less chance that one device, account or mistake exposes all your activities at once
- better separation between identities, contacts and tasks
- more control over metadata, source protection and device seizure risk
- more resilience if one component does get compromised
But it costs something:
- significantly more friction in daily use
- multiple devices, identities or workflows you must consistently maintain
- less spontaneity, because actions that are normal for others can create risk here
For this profile that is usually a reasonable trade. If you cannot sustain this discipline, a smaller but consistent setup is safer than a “perfect” system you only half use.
Core principles of full OpSec
1. Compartmentalisation Every activity, identity, and device is separated. Your anonymous account must never be traceable back to your real name — not via an IP address, not via writing style, not via a shared contact.
2. Threat modelling Know exactly who your adversary is, what they want, and what they’re capable of. A state actor with access to NSO Group tools is different from an angry ex-partner. Your security adapts accordingly.
3. Minimal footprint Share as little information as possible. This applies to digital traces but also to what you tell whom.
4. Trust nothing blindly No platform, no tool, no person is automatically trusted. Trust is something that is earned and verified.
Devices and infrastructure
Phone
- GrapheneOS — no equivalent alternative at this threat level. See the hardening guide for full configuration. (Currently on iPhone and can’t switch? At minimum enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) — this is the iOS measure that most significantly reduces the attack surface for Pegasus-type attacks. See also iPhone privacy settings. Switch to GrapheneOS as soon as that becomes possible.)
- Auto-reboot set to 18 hours (default) or shorter — regular return to BFU (Before First Unlock) state
- USB fully disabled when charging wirelessly
- No SIM card for anonymous activities — use wifi-only with Tor or VPN
- Know the duress PIN (GrapheneOS: wipes device when entered)
- Physical camera cover if you don’t trust the hardware camera toggle
For anonymous activities: a separate phone, bought with cash, activated over wifi without your real identity.
That does not mean everyone in this profile immediately needs three phones. Start with one well-hardened device and only add separate devices when identities or risks genuinely need to be kept apart.
Laptop
- Tails for anonymous tasks — boots from USB, leaves no traces. See tails.net and the Tails OS review
- Compartmentalisation guide — when Qubes OS and Whonix are the right step, how to choose and how to start. See also the Qubes OS review and Whonix review for product details.
- Full-disk encryption goes without saying (LUKS on Linux)
- BIOS password + Secure Boot
- Laptop physically secured: don’t use the built-in webcam (cover it), disable microphone at OS level
Choose deliberately here — not everything at once:
- use Tails for tasks that genuinely must leave no local traces
- use Qubes OS only if you can operationally manage that compartmentation
- don’t keep a regular laptop half-converted in a limbo state you no longer trust
Network
- Tor for anonymous communication — not for streaming or heavy use, but for sensitive matters it has no substitute
- VPN comparison — Mullvad is often the practical daily-use outcome, with no account and payment via cash or Monero. Not a Tor replacement, but a layer.
- Never on public wifi for sensitive activities without VPN + Tor
- At home: separate router for sensitive activities, or use a GL.iNet with OpenWrt and strict DNS
A VPN does not replace Tor, and Tor does not replace good compartmentalisation. Network layers only help if your device, account and behaviour layers are also right.
Communication
Messaging
Signal setup guide as the primary messaging route for known contacts; Molly is the more privacy-hardened Signal variant:
- Database encryption independent of phone lock (Molly-FOSS passphrase)
- Disappearing messages set to 24 hours or less by default
- Verify safety numbers with every contact
For contacts without Signal: Matrix via Element with a private server, or PGP email.
Never: WhatsApp, Telegram (default), SMS for anything sensitive.
Choose communication by task:
- Molly/Signal for known contacts where reliability and practical security still matter
- SimpleX, Session or Briar when identifier-free or more strongly isolated contact is genuinely needed
- SecureDrop for anonymous submissions and source contact in journalistic contexts
- PGP email only where email genuinely must remain, not as a general chat substitute
Use email in this profile only for what genuinely has to remain email. Start with choosing secure email without overkill to decide whether you need a provider choice, a portal route, or a heavier PGP workflow here.
For sensitive email outside Proton-to-Proton traffic, PGP is often necessary. See the PGP guide.
As a provider, Proton Mail is usually the most practical privacy-friendly route — see choosing secure email without overkill for the decision and the Proton Mail review for product details. Posteo is a more minimal alternative without tracking. Self-hosting gives more control, but it also requires more expertise and operational discipline.
Remember: email metadata (who sends to whom, when) is always visible to the provider. PGP encrypts the content, not the envelope.
Anonymous communication
For source contact or anonymous information exchange:
- SecureDrop — built specifically for anonymous source contact with journalists
- SimpleX Chat — no identifier, no account, servers cannot see who is talking to whom
- Briar — peer-to-peer via Tor, no server, also works without internet (Bluetooth/wifi)
- Session — no phone number required, onion routing, decentralised
Stripping metadata
Every file you share contains metadata: creation time, username, GPS coordinates (in photos), software version.
Required for every file you share:
# Imagesexiftool -all= file.jpg# Documentsmat2 file.pdf# LibreOfficeFile → Properties → remove personal information
MAT2 is available for Linux on most distributions. On Android, use Scrambled Exif or Metadata Remover via F-Droid, but note that those only handle images, not documents. Strip document metadata on desktop with mat2 or through LibreOffice. Always verify after stripping that metadata is actually gone.
Physical security
Digital security stops at the physical world.
Device seizure
- Know how to quickly enter lockdown mode (GrapheneOS: power button → Lockdown)
- Practice this — it needs to be reflexive
- Configure a duress PIN (GrapheneOS)
- Don’t store anything you wouldn’t want found — if it doesn’t exist, it can’t be discovered
Bugging and surveillance
- Faraday bag for your phone at sensitive meetings — no signal = no location tracking, no microphone activation via network
- Meetings on sensitive topics: phones out of the room
- Be aware of cameras in public spaces
Social engineering Most successful attacks are social, not technical. Someone pretending to be a colleague, a fake urgent request, a trusted contact who has been compromised.
Always verify identity out-of-band before sharing sensitive information.
If you think you still mainly need one better app, that is often a sign your threat model is still too tool-focused. At this level, routines, separation and discipline are at least as important as software.
What you can’t protect against
Honesty matters. There are limits:
Zero-day exploits — unknown vulnerabilities in software that government agencies or commercial parties (NSO Group, Cellebrite) use. GrapheneOS significantly reduces the attack surface but provides no absolute guarantee.
Compromised contacts — if someone in your network grants access, your own security does nothing. Compartmentalisation limits the damage.
Physical coercion — no software protects if someone physically forces you to unlock. That is a legal and social problem, not a technical one.
Human error — one mistake can undermine everything. Routine, checklist thinking, and deliberate attention are the only protection.
Help resources
- EFF Surveillance Self-Defense (Threat Modelling)
- Access Now Digital Security Helpline — free help for threatened journalists and activists
- Front Line Defenders — digital security for human rights defenders
- Security in a Box
- Bits of Freedom — Dutch digital civil rights
Next step
Start here
- Do I need to switch phones? — the spectrum explained
- GrapheneOS hardening guide — if you’re taking the device layer seriously
- GrapheneOS profiles — separating identities and functions on device
- PGP: encrypted communication — for email scenarios where chat isn’t sufficient
- Spyware detection guide — stalkerware and advanced spyware detection
Also relevant
- Profile: journalist or activist
- Which network setup fits your profile? — Deciso and OPNsense for high-risk
- SimpleX Chat guide — messaging without a phone number or account
- Session guide — decentralised, onion routing
- Briar guide — peer-to-peer over Tor, works without internet
- Tor on GrapheneOS — Orbot, Mullvad and anonymous browsing
Reviews and further reading
- Tails OS review — anonymous operating system
- Compartmentalisation guide — when Qubes and Whonix are justified and how to start
- Qubes OS review — product detail for daily compartmentalisation
- Whonix review — isolation system that runs inside Qubes
- Signal setup guide — Molly-FOSS, safety numbers, Tor proxy
- Signal and Molly review — background and profile fit