As I've mentioned before, Linux is the way to go when you don't want to be spied on by your laptop. Perhaps you'd like Tails, as described in a previous section of this Chapter, if you are paranoid and don’t care that you don’t have a OS where you can boot up and continue from where you left off.

No worries as there is better news with perhaps the best daily  usage drive, if you are willing to go the extra mile, as this isn't  a totally 'out of the box' solution, although it is all you need once  you get to understand it.

I am talking about QubesOS, which is  one of the best Linux distros for privacy and security. It is Fedora  based, but also has a twist in that it isolates Virtual Machines (VMs), with so-called.'Security by isolation'. This ensures that any risky app  runs separately and separated from your Banking or Gaming Apps.

It even has Qubes (or virtual machines which runs in a one time  Sandbox!). To make things easier, Qubes runs each virtual machine in a  different color, so you can easily see if you're in your Bitcoin or your personal space or even in your Vault which is completely off the internet.

Qubes runs the WiFi driver in a dedicated & unprivileged network, NetVM. This reduces the attack surface  and additionally QubesOS is fire-walled by default with no incoming ports open. TCP and ICMP timestamps are also disabled by default.

You can have Fedora Virtual Machines, but also Debian and even Windows VMs.

But one of the best ways is if you can have a Whonix based VM, which runs the entire VM over the Tor Network. Whonix is based on Debian and Tor and basically uses two VMs, one a gateway and the other a workstation. Qubes's security architecture utilizes Whonix’s isolation by having the gateway as a Proxy VM to route all network traffic through Tor whilst the workstation is employed to make App VMs.

Mullvad also has a good explanation on how to run your own VM or any number of VMs over Mullvad VPN servers.

Mullvad on Qubes OS 4 - Guides | Mullvad VPN
How to install and run Mullvad on Qubes OS 4.

Bear in mind that Mullvad is one of only two VPN providers which we would recommend.

Privacy Cookbook - Chapter 4.1 - VPN Providers
Be aware.....using a VPN is not without risks and you need to appreciate what it will and what it won’t do for you. It will not keep your browser history secret, it will not provide security for non-secure (HTTP) traffic, it will not provide anonymity. However, if what you are after is to mask y…

In other words, you could have your Banking Virtual Machine in your actual country, your Football VM in England or Germany to watch the Premier League or Bundesliga uninterrupted and for free and your daily research and communication VMs over the Tor Network. And another one for Bitcoin and so on and so on!

Best of all, none of these VMs are able to touch each other, yet you can still share files between them. The power is endless. Sadly not every hardware is supporting it, so first check on the official website for more information and to ensure it can run and support it.

Hardware Compatibility List (HCL)
Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.

Here are some of the best additional features that help make this system so secure and private when you're networking In Qubes,

Protect against data leaks by setting up a dummy (empty) NetVM field for the corresponding VM.

Protect against  the possibility of malware attacks across VM reboots by having Qubes ServiceVMs set up as a Static DisposableVM which can rapidly open un-trusted apps, attachments, links, or anything else deemed to be risky.

Additionally, hardware risk mitigation ensures that microphones are never attached to VMs by default.

Users can chose to use a Yubikey for authorization purposes which protects against password snooping and bolsters USB keyboard security. It is also possible to isolate the USB stack in a dedicated USB VM which provides protection for the admin domain (dom0) from un-trusted USB  devices.

Finally, Qubes implements full-disk encryption by  default using LUKS dm-crypt and users can manually configure their own  encryption parameters if they so choose.

As is the case with many  Linux Distros, Qubes appears difficult to master and is probably not  for the casual consumer. That said, you can install Qubes directly, as opposed to rebooting it every time via a CD, which does make it better  for daily usage than, say, Tails.

I personally run this on a purism notebook which is smooth, secure and open source. I will probably review Purism hardware in a separate blog-post soon.

Qubes is the best OS for security and privacy and makes efficient use of  system resources. It will, however, involve a pretty steep learning  curve but by no means impossible.

If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better.    
Edward Snowden

Stay safe, people!
The PA