Inspired by this post, I decided to see if I could identify any single points of failure in my own setup.

Prerequisites

There are two notable systems that should be mentioned:

The 3-2-1 rule

The 3-2-1 rule can aid in the backup process. It states that there should be at least 3 copies of the data, stored on 2 different types of storage media, and one copy should be kept offsite, in a remote location (this can include cloud storage). 2 or more different media should be used to eliminate data loss due to similar reasons (for example, optical discs may tolerate being underwater while LTO tapes may not, and SSDs cannot fail due to head crashes or damaged spindle motors since they do not have any moving parts, unlike hard drives). An offsite copy protects against fire, theft of physical media (such as tapes or discs) and natural disasters like floods and earthquakes. Physically protected hard drives are an alternative to an offsite copy, but they have limitations like only being able to resist fire for a limited period of time, so an offsite copy still remains as the ideal choice.

The factors of authentication

The ways in which someone may be authenticated fall into three categories, based on what is known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity before being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of the elements of each factor are:

1. Knowledge: Something the user knows (e.g., a password, partial password, passphrase, personal identification number (PIN), challenge–response (the user must answer a question or pattern), security question).
2. Ownership: Something the user has (e.g., wrist band, ID card, security token, implanted device, cell phone with a built-in hardware token, software token, or cell phone holding a software token).
3. Inherence: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifiers).

What KeePassXC offers

KeePassXC is an open-source cross-platform password manager. It mainly stores password databases locally, but you can simply store the file on the cloud for cloud sync. However, this method is botch-y at best, and adds the additional complexity of storing the credentials for the cloud drive.

The database can be protected with any of the following:

Password: This is something the user knows. It can be a password or a passphrase. This can be written down to become something the user has physically, or stored in a file to become something the user has digitally. Storing it in a file is generally not safe due to temporary file leaks.

Key File: This is something the user has. This is stored digitally. This file should either be kept on a separate drive, encrypted with something like LUKS or VeraCrypt, or both. It is possible to convert it to readable text and print it as a physical copy, but reversing the process every time you want to unlock your database would be cumbersome.

Hardware Key: This is something the user has. This is stored physically. You can use hardware security keys such as the YubiKey or OnlyKey for this.

Quick Unlock: This is something the user is. Quick Unlock is only available on Windows and macOS as a form of biometric authentication. It is only available for devices that have a built-in biometric scanner, or by using an attachable biometric scanner. There is most likely a way to achieve this on Linux, but the documentation is scarce.

Any combination of these methods can be used to protect a KeePassXC database. At least one must be used. However, if you use multiple methods, all of them must be used to unlock the database (e.g. if you set up a password and a key file as the methods to unlock the database, you can't only use the password or only use the key file to unlock it, you must use both.)

The problems

Each method has a single point of failure, and the fact that you can't set up multiple methods of authentication but choose one to unlock the database means that the more methods you choose to protect your database with, the likelier it will be that one method fails.

Password: This can be forgotten, lost or stolen from a piece of paper (if it's written down), keylogged or shoulder surfed, leaked through temporary files or stolen (if it's stored digitally), corrupted or permanently encrypted (if it's stored digitally), have the drive physically lost or stolen (if it's stored digitally), unconsciousness (if you only stored it mentally and needed someone else to unlock it for you), or forced our of you with torture.

Key File: This can be leaked through temporary files (if not stored properly), hacked and stolen, corrupted, permanently encrypted (if you are unable to decrypt it), or have the drive physically lost or stolen.

Hardware Key: This can be damaged, stolen, or lost.

Quick Unlock: This can be spoofed (if not set up properly), damaged, general failure to authenticate, damage to you (e.g. facial damage in a fire), or hacked with zero-day vulnerabilities (since Windows and macOS are proprietary).

If any one of these fails, the database is permanently locked.

Some solutions

There are some improvements that you can use to mitigate some of the single points of failure. All methods of authentication can be redone if something happens, but you need to unlock the database to do so (e.g. you can change your database password if it gets leaked, but you need to be able to unlock the database first, so it doesn't help if you lose your password).

Password: You can store your password using something like a password card. Passphrases are also easier to remember than passwords. Both passwords and passphrases can be safely written down on paper by enciphering them first. However, this introduces new complexities and single points of failure if you are unable to decipher the password.

Key File: The use of the 3-2-1 rule can help make sure the key file never gets lost, but extra care should be taken to make sure the file never gets stolen.

Hardware Key: You can set up multiple hardware security keys in order to make sure if one gets lost you can use the other. One key should be kept with you at all times, and the other should be safely stored somewhere else (such as a safe deposit box).

Quick Unlock: I have never used this feature, but assuming it's anything like FaceID, you should set up multiple people (such as trusted friends and loved ones) to be able to unlock with biometrics. This ensures that if something happens to you, someone else can unlock it in an emergency or other reasons you may need someone to unlock it for you.

Plugins

While I may be wrong, KeePassXC does not support plugins directly. Ideally you should be able to have plugins for things such as proper cloud sync, TOTP database protection, and changing the all-or-nothing nature of unlocking the database. However, since KeePassXC is open source, someone could make a fork of KeePassXC that supports plugins (please, call it KeePlugXC).

Database syncing

Besides not being able to unlock your database, your database file itself is largely subject to the same single points of failure as a key file. The difference is the database is completely encrypted, and is safe (although not ideal) if it gets leaked. You can store your database in as many places as you'd like, to make sure it never gets corrupted, but the issue is syncing the database as that would be a manual task. The solution presented is the botched cloud storage, but for those who want a local solution, that is not ideal.

Final notes and questions

KeePassXC is very feature rich, so there are other things that can be used to aid the process of preventing database lockouts; but even so, it's a very difficult task. How is your KeePassXC database set up? Are there any single points of failure? How have you fixed some of the issues listed here? Is there a perfect or near-perfect system for eliminating lockouts?

I've noticed that ads are absolutely everywhere, and wanted to post this to disillusion some of the places we see ads but don't realize. It would be harder to make a list of places you don't see ads.

Websites

The most common place to see ads is on nearly every website you visit. It's usually the most intrusive, especially with popups.

Books

The very end page of books and back cover of books will often advertise books written by the same author.

Billboards

Billboards along busy streets and highways often display static or moving ads. A notable mention is its role in the book Fahrenheit 451, where it was theorized that as cars get faster ads would have to be stretched out so people can see them better at high speeds.

Operating systems

Some Android operating systems, as well as Windows, show ads in a non intrusive way.

Apps

Especially mobile games, ads will be displayed anywhere possible, and sometimes used as a reward system. Social media apps display ads while scrolling, and even messaging apps will have some sort of promotion like requesting donations.

Mail

Deemed "junk mail", companies will collect and sell the address of residents in order to send useless advertisements to the residents. This can't usually be opted out of. In my opinion, this should be illegal.

Phone calls

Especially when put on hold, businesses will interject occasional advertisements in between the low quality jazz music. Customer support will also often advertise products to you while you are being assisted.

Newspapers

Newspapers have entire pages filled with ads. Some of these are promotional coupons that can be used to get overpriced products for a regular price.

Magazines

Magazines are fundamentally only used to advertise products in a passive way. The chances you actually have a meaningful experience with a magazine are slim. They are often placed in waiting rooms as a form of entertainment for people who don't want to use a phone at the time.

Music

Between songs in radio broadcasts, long ad breaks will be placed. Music streaming services will also inject ads between songs. Even the hosts of podcasts will have sponsorship segments.

Disk movies

DVD and Blueray disks will often come with ads baked in to advertise "upcoming" movies. That is, until 10 years passes and Peter Pan becomes a funny ad to see.

Movie theaters

Between movie showings, movie theaters will display long ad segments while you wait for the movie to begin. Some very long movies are even split in half, with an ad break in between for you to empty your wallet and refill your popcorn.

Bleachers

In sporting events, moving ads will be displayed under bleachers. Fun fact, these ads change depending on which channel you are watching the game from.

Commercials

Between live television, you will get 1-3 minutes of commercials and then watch the shortest segment of your actual show.

Baked into videos

Videos such as YouTube videos will have sponsorships and self-promotion baked in, causing the drastic rise of SponsorBlock.

Torrents

Some torrented files will also have text or image files attached advertising other torrenting services.

Vehicles

Buses, vans, cars, and others are often plastered with ads for different services. If you're in a car wreck, call emergency services first, not an auto repair shop.

Social media

Social media is one of the go-to methods of marketing. Besides the ads you see while doom scrolling, many pictures and videos uploaded will simply be ads for products.

Gas stations

Plastered all over gas stations, and apparently displayed on some gas pump screens, ads are placed everywhere. Is that not more of a fire hazard than eight closely packed gasoline tanks?

Posters

Pasted inside schools, workplaces, plastered on power poles and sides of buildings, posters are cheap to make and placed everywhere.

Instruction manuals

When buying a product, besides impossibly small print, some instruction manuals will have ads pasted in certain sections. Some devices like mice, keyboards, and headphones advertise proprietary software required to get the full extent of your product.

Wearables

T-Shirts, pins, bracelets, hats, and all other kinds of merch will display company names for everyone to see. Ironically, companies see these kinds of clothing as inappropriate attire on the job.

Pens

Another kind of merch, nearly every free pen has the name and contact info of businesses on it.

Redirects to downloads

Some websites will redirect you to ad websites before beginning your download. Lots of these websites (such as the infamous AdFly) are malicious and will encourage you to download malicious software.

Grocery stores

Solicitors in store, ads during checkout, product placement all throughout the store, ads over the intercom, nearly every type of ad imaginable can be found in grocery stores.

Speakers on public transport

Some subways and buses will play ads over the speakers while you travel. No napping on the bus, we want you awake to hear our ads!

Emails

Spam emails are frequently sent to people, so commonly an entire folder is dedicated to housing them. Even places you legitimately gave your email to will send you spam.

Comments and chat messages

People will often self promote their accounts on various platforms. This is a common place for scams to arise.

Solicitors

Solicitors will come on your private property just to sell their products to you. Just when you thought ads could never come knocking on your doorstep, they did.

Lawns

Lawn signs for services such as lawn care or political messages will be placed on people's property as a form of willing advertisement. Flowers look a lot better than rust and plastic.

Airplanes

Some airplanes will pull long banners with ads behind them. This is usually surrounding sporting events.

Brand names

Products produced by any company will have brand names on them. This makes it easy for advertising to flow through word-of-mouth. But seriously, where did you get that shirt from?

Search engines

Almost all search engines will display ad websites before legitimate search results

This post

Even this post had an advertisement in it that I bet most of you missed. I passively advertised "SponsorBlock" under "Baked into videos". If you missed it, that's ok. Advertising has become so common that people have become desensitized to it.

Not sure which news website I should be using for the link, sorry! I'm happy to change it if anyone has a better one.

Google agreed to destroy or de-identify billions of records of web browsing data collected when users were in its private browsing “Incognito mode,” according to a proposed class action settlement filed Monday.

The proposal is valued at $5 billion, according to Monday’s court filing, calculated by determining the value of data Google has stored and would be forced to destroy and the data it would be prevented from collecting. Google would need to address data collected in private browsing mode in December 2023 and earlier. Any data that is not outright deleted must be de-identified.

I'm concerned about the privacy implications of DNA testing services like 23andMe or AncestryDNA. What are the potential risks of sharing our genetic data with those companies, and are there any privacy-focused alternatives available?

Hello!

My knowledge about DNS resolvers is somewhat limited. So, in an effort to expand my knowledge and find a DNS resolver that works for me, I've come for help here.

Here is a list of terminology that I either know too little about, don't know anything about, or want to make sure my understanding is correct about:

Cleartext (What does this mean in the context of protocols? Is it inherently bad?)

DoH (I somewhat understand this, but is it less secure than DoT?)

DoH/3 (How is this different from DoH?)

DoT (Is this more private than DoH?)

DoQ (I don't know enough about this, how does it compare to DoH and DoT?)

DNSCrypt (I'm not sure what this is.)

Do53 (I'm not sure what this is. Is it a replacement for DoH/DoT/DoQ, or does it work alongside it?)

DNSSEC (I don't know what this is.)

EDNS padding (I'm pretty sure I know what this is, it just pads DNS queries. What happens if "Cleartext" is used, does it still pad it?)

As for what I'm looking for in a DNS resolver: I don't plan to self host it, I would like support for iOS, Linux, and Android, I would like it to be free, I would like EDNS padding, DoH is preferred (although I don't quite understand the alternatives). I am aware that the DNS resolver will usually be the same as my VPN. Note: I'm not looking for a beginner DNS resolver, I've been using NextDNS for a while now, I'm looking for one with strict privacy and security.

I've tried looking at Privacy Guides and Wikipedia, but I don't know enough to make an educated decision.

Any suggestions?

Thank you all!

All questions are in bold for ease of use.

The major carriers in the United States participate in NSA surveillance (except for T-Mobile apparently, because it's based outside of the US. Except they bought Sprint, which participates.) and that, along with other major privacy issues, means that the market for private carriers is incredibly slim. When I found out that some carriers, such as Mint Mobile, piggyback off of Verizon, I wondered: What's stopping a carrier from simply E2EE everything from Verizon, and then using Verizon to transfer the data? Obviously, the encrypted data could still be collected and sold, but it wouldn't matter if the encryption was setup properly, right? I'm looking to better understand how this works, and, if a solution exists, potentially be the first to make it happen. The reason I'm not suggesting creating a carrier without piggybacking is due to the sheer cost and lack of support it would have, which would lead to poor adoption. Also, if carriers simply don't support E2EE, couldn't carrier locked phones install the software (since most install software anyways) required to make E2EE work?

Hello, Lemmy!

It may be difficult to spend time actively improving some of the services you use to have a more privacy conscious presence, and so this thread is dedicated to help people learn and grow in their privacy journeys! Start by stating which services you currently use, and which ones you may be looking for/want to improve. This thread is entirely optional to participate in, because a lot of people understandably feel uncomfortable listing which services they use. Writing those out can be a lot of work, but the payoff is huge!

Remember these rules:

• Be respectful! Some people are early on in their privacy journey, or have a lax threat model. Just because it doesn't align with yours, or uses some anti-privacy software, doesn't mean you can downvote them! Help them improve by giving suggestions on alternatives.

• Don't promote proprietary software! Proprietary software, no matter how good it may seem, is against the community rules, and generally frowned upon. If you aren't sure, you can always ask! This is a place to learn. Don't downvote people just because they don't know!

• Don't focus solely on me! Since this happened in another one of my posts, I want to mention that this thread is not designed to pick apart only my setup. The point is to contribute your own and help others. That doesn't mean you can't still give suggestions for mine, but don't prioritize mine over another.

• Be polite! This falls under "Be respectful", but be kind to everyone! Say please, thank you, and sorry. Lemmy is really good about this, but there will always be someone.

Here is my setup:

Web browsing

• I use Tor for using online accounts (such as Lemmy, etc.)

• I use Mullvad Browser for general browsing

• I use Librewolf for functionality that Mullvad Browser doesn't have (security keys, etc.)

• I use Firefox + uBlock Origin for streaming videos that break on Librewolf and Mullvad Browser.

• I always use a SearXNG instance for web searches. I always use ProtonVPN (free tier). I use a private DNS resolver.

Desktop

• I use Secureblue (yes, I'm that guy from a post a couple weeks ago)

• I sit behind a firewall.

• I only use FOSS Flatpaks with Flatseal.

• My BIOS is password locked but proprietary (due to compatibility issues).

• I occasionally use Tails because I think it's fun.

• I use full disk encryption, multiple disks, and a second layer of encryption for specific important files (NSA style)

Mobile

• I currently use hardened iOS until I can scrape together some money for a Pixel to use GrapheneOS

• Again, I constantly use ProtonVPN (free tier)

• I use a private DNS when ProtonVPN is turned off

• I use AdGuard, but I browse the internet with the DuckDuckGo app (I can't sideload)

• I use a very strong passcode

• Airplane mode is constantly enabled, I don't have a SIM

• I use a Faraday bag to store my device when I'm in public

• I use a privacy screen protector

Messenger

• I mainly use Signal with a borrowed phone number, because SimpleX is still buggy on iOS, and Signal is the easiest to switch friends to. I rarely use iMessage, but there are times when I have to.

Online accounts

• Passwords are stored in Bitwarden for mobile accounts, and KeePassXC for desktop accounts.

• Yubikey is placed on any account I can, otherwise 2FAS is used

• I keep public accounts (Lemmy, etc.) as locked down as I can.

Video streaming

• I use the native YouTube app on iOS, simply because any of the others I've tried either don't actually work or require a Mac to install. I don't have a Mac, obviously.

• I use FreeTube on desktop, but as I was writing this I was informed that FreeTube has a few issues I may want to look into (Electron).

AI

• I would love to know if there are any Flatpaks that run local LLMs well, but I currently use GPT4All (since that's what I used a year ago).

• On mobile, I use an app made by a friend that gives access to GPT-4 and Gemini. Because it's running off of his own money, I'm not going to share the project until he has a stable source of income.

Social Media

• I don't use any social media besides Lemmy.

Email

• I use ProtonMail

• I have addy.io as an alias service

Shopping/Finance

• I currently either proxy my online purchases through someone else (have them buy it for me and I pay them back), or use a gift card

• For physical purchases I use cash

• I only use my bank account for subscriptions (Spotify, etc.)

• I am working on using Monero and privacy.com

Music streaming

• I use Spotify on my phone

• I use Spotube or locally downloaded files on my computer

• I have multiple AM/FM receivers with some yard long antennas and direct metal connectors

TV shows

• I stream from ethical services for some movies

• I go to a theater or buy a DVD for other movies. I am the proud owner of a USB DVD player.

• I also have an antenna hooked up to my TV

• There are certain IPTV services I have used in the past

• I do not use a smart TV.

Gaming

• I download local games, plain and simple. Or I code my own game.

Programming

• I code in Python using PyCharm. I'm looking for alternatives.

• I will use GitLab when I decide to publish some of my work.

Productivity

• LibreOffice, although the UI is iffy

Misc

• I don't use any location services

• All my clocks are set to UTC

• I don't have a smart watch

• I don't have a smart car

• I use Bluetooth earbuds

• I cover my webcams with paper and tape. Reason: It's worth taking a couple seconds to peel tape off when you use the webcam than to risk a massive breach.

Thanks for reading!

Note here: I found out the other day that a Google Streetview car passed by my house, and my blinds being shut were the only thing keeping my room away from prying eyes. Is there an easy way to blur/censor my house without giving up my soul?

Special thanks

Lots of people kindly contributed their personal setups in the comments, and some even made their own posts! I'm really glad I could spark inspiration and start a way for people to learn and grow in their privacy journeys. To think, just this morning, I was stressing on if people would even enjoy the post at all! Thank you all again, and please go forward to inspire others. I am not the person who made this happen, all of you are!

Evidently Tails 6.0 released over a week ago, and my version never prompted me for an upgrade ~~(maybe because it's a major upgrade, I don't know.)~~ In any case, I wanted to first of all spread the word about Tails, and second of all mention this: My one problem with Tails is that it had some outdated software (such as KeePass being a few versions behind), but with the introduction of Tails 6.0, that seems to be resolved.

Tails also has dark mode now. I love dark mode.

Edit: "Automatic upgrades are only available from Tails 6.0~rc1 to 6.0. All other users have to do a manual upgrade."

Due to financial problems, throughout my privacy journey I have only used free tools to enhance my privacy. I was recently thinking about the question: If I had the money to give back to the services I've used, which ones would I donate to? Here is my personal list, which is still a WIP:

I will definitely donate to (13):

• Aegis Authenticator | Donation Link
• GrapheneOS | Donation Link
• KeePassXC | Donation Link
• The Linux Foundation | Donation Link
• LUKS | Donation Link (Help me find!)
• Mullvad | Donation Link (Help me find!)
• The Qubes OS Project | Donation Link
• SimpleX | Donation Link
• SearXNG | Donation Link (Help me find!)
• Tails | Donation Link
• Tor Project | Donation Link
• uBlock Origin | See here
• Whonix | Donation Link

I am very likely to donate to (14):

• Briar | Donation Link
• coreboot | Donation Link
• Electronic Frontier Foundation | Donation Link
• F-Droid | Donation Link
• FreeTube | Donation Link
• The Gnu Privacy Guard | See here
• LibreOffice | Donation Link
• NewPipe | Donation Link
• OpenStreetMap | Donation Link
• OpenPGP | Donation Link (Help me find!)
• OpenVPN | Donation Link (Help me find!)
• Orbot | Donation Link
• WireGuard | Donation Link

I will most likely donate to (7):

• AnonAddy/addy.io | Donation Link
• GtkHash | Donation Link (Help me find!)
• Joplin | Donation Link
• Lemmy | Donation Link
• LibreWolf | See here
• Monero | Donation Link (Help me find!)
• Nitrokey | Donation Link (Help me find!)

I may donate to (12):

• DuckDuckGo | See here
• Fedora | See here
• GitLab | [email protected]
• GNOME | Donation Link
• Molly | Donation Link
• AdGuard | Donation Link (Help me find!)
• Organic Maps | Donation Link
• privacy.sexy | Donation Link
• Proton | Donation Link (Help me find!)
• Signal | Donation Link
• Standard Notes | Donation Link (Help me find!)

I may add more as I think of them. Please leave your ideas!

Note: I'm trying my best to avoid turning this into just a list of privacy tools, but that may end up being what it becomes.

Honorable Mentions (9):

There are some services that I support but either don't use or have not matured enough to donate to.

• 2FAS | Donation Link
• Free Software Foundation | Donation Link
• Mozilla (Firefox) | Donation Link
• GNU Image Manipulation Program | Donation Link
• Invidious | Donation Link
• OsmAnd | Donation Link (Help me find!)
• Piped | Donation Link
• Spotube | Donation Link
• Wine | Donation Link

Some math

I realized I never actually specified any amounts that I would donate to each service, so here is most likely how I will spread my money:

For the services I will definitely donate to, I will donate $50 to each services.

For the services I am very likely to donate to, I will donate $40 to each service.

For the services I will most likely donate to, I will donate $30 to each service, for the ones I decide to donate to.

For the services I may donate to, I will donate $20 to each service, for the ones I decide to donate to.

For the honorable mentions, if they ever become part of my official donation list, I will start with a $10 donation and increase it from there.

For those thinking those are small donations, note that if I were to donate those amounts to every service it would be a total donation of over $1,700. That is at least a start, and once I am able to donate I will likely donate the same amount every year.

By no means am I doing this for publicity or congratulations, I am just making my thoughts public and hopefully sparking others to donate to some privacy services. Lots of these services run off of donations, so please try not to take them for granted!

A note from me

There seems to be a misunderstanding about the purpose of this post. I am not posting this to receive criticism for my choices, although I am happy to learn about potential misconceptions I had about certain services (Organic Maps, Mozilla, etc.) This list contains my choices, and your choices may be different. Nor am I posting this to gain attention, media traction, congratulations, or publicity. The purpose of this post is to encourage you to make your own list based on your own criteria, and to potentially share it here. Very few people have actually commented with services that they would/do donate to. I have decided to include my choices as well as links to better help others find what they would donate to. For example, many people may forget to donate to services like GNOME that they use every day without thinking twice about the developers who have worked hard to create it. I'm aware that some of these services are for-profit, have poor business practices, or are based in privacy disrespecting countries, but in my opinion (and again, you should make your own list based on your own opinion) those services deserve my support. I thank everyone who has helped me better formulate my list, but this post isn't meant to be about me. I encourage you to take your time to make your own list of services you really would consider donating to. The draft for this list has taken me over a month. Thank you all for taking the time to read through this, and it is unlikely I will be interacting with this post for a while.

cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I've been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn't work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I'm not a fan of atomic distros I will be using that. To @[email protected], your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I've been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn't work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I'm not a fan of atomic distros I will be using that. To @[email protected], your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!