Project encrypt is an ongoing personal mission of mine to fully encrypt every activity I do online. This post will cover almost everything I do to secure my data and prevent unwanted tracking online.

I will go over everything in detail but the summary is that this project includes:

  • Passkeys for passwordless login and 2FA.
  • Email aliases for every account.
  • Encrypting email, storage, calendar, passwords & more.
  • Generating credit card numbers for every purchase.
  • Secure messaging & contact key verification.
  • Emergency sheets & backups.

If you follow this project, or any individual steps, you can be assured that your online data will be safer and more secure than before.

Passkeys, Security Keys & 2FA/MFA

If you’re not aware of what passkeys are yet, then let this be the one important takeaway from this article.

Passkeys are a way to log in to your accounts without having to remember a password, and sometimes in the case of passwordless then you don’t even need to remember your username. The passkey is generated and stored securely on your device or inside your password manager and can’t be accessed easily without device access.

Passkeys are not only more secure but also more convenient than passwords because they can be accessed via biometrics (FaceID/TouchID) or a master password.

To start using them, navigate to the security settings for any product you use and check if they support them. This is what the Google security settings look like for passkey registration:

google passkey settings screenshot

When registering a passkey, you can choose where to save it, either in a password manager or using a physical security key like a Yubi key.

For some more information on passkeys and security keys, here are some recommended links:

One other great advantage of passkeys is that they can be used for two-factor authentication (2FA), so not needing to copy/paste codes from an authenticator app or email/text message is a huge convenience with no security downside.

Not every product or service supports 2FA or passkeys, and the ones that do will support it to varying degrees. For example, some sites may have 2FA but only for text message codes and email codes (looking at you Banks and Government services…), which is less secure than things like an Authenticator app or passkeys.

Whenever creating a new account for any product or service, I always enable 2FA and register multiple devices. My preferences are (in order):

  1. Passkeys with physical security keys - (Yubi Key / Titan Key)
  2. Passkeys saved in a password manager
  3. Authenticator App
  4. Email
  5. Text Message / Phone Call

I usually register two security keys and one passkey in my password manager. Prefer to use passkeys if supported, if you’re in the Apple ecosystem then their built-in password manager has support for them already. Diddo for Android. If passkeys are still confusing, then opt to use an authenticator app (How authenticator apps work) like Ente for 2FA codes. The app shows codes rotating over time, and you must copy/paste them into the app during login.

Text message 2FA is by far the weakest form of 2FA, below is a good video about how easy it is for bad actors to intercept phone calls and text messages without you knowing it.

Email Aliases

This is a more recent addition to my project, but the idea is to have a different email address for every online account, using email aliases.

This means having one email for something like Twitter and a different email for Instagram. There are many advantages to doing this, one benefit is spam management - if you start receiving spam to one email then you can just deactivate it.

It also allows you to centralize the forwarding process, so if one day you are forwarding all emails to a master address like name@domain.com and you would like to switch all your 150 accounts to a different address, then it’s as easy as switching in one place instead of inside all 150 accounts.

Apple supports aliases with their “Hide my email” feature in iCloud to generate email addresses easily or with “Sign in with Apple”.

iclouds hide my email interface in settings

I used Apple’s for a while and now use Proton Pass for aliases.

Another benefit of aliases is that it keeps your master email unknown to anybody. This allows you to easily control who has access to contacting you. Nobody will know your real email, only your aliases, and you can easily deactivate an alias if someone uses it without permission.

Secure aliases like Apple’s or Proton’s are different than ones that services like Gmail provide with the + trick. The + trick does not hide your original email, and anyone who knows that will have access to messaging you directly to your original email.

Encrypted email, storage, calendar & passwords.

This section is dedicated to Proton - proton is a product suite that provides encryption for various tools and has replacements for things like email, storage (like Google Drive), calendars, VPN’s, wallets, and passwords, but all private and end-to-end encrypted (E2EE).

I have all my email aliases forwarded into my Proton mail account, I use Proton Storage for storing encrypted files, Proton Calendar for my calendar needs, and Proton Pass for my password manager which includes authenticator codes, passkeys, and email aliases. This suite replaces my need for similar Google products that are not encrypted.

If you’re interested in trying out Proton, I highly recommend it, and I have a referral code: https://pr.tn/ref/MQ4N9PEJTH10

Credit Cards

As often as possible I will use Apple Pay to pay with my credit card as Apple automatically generates new credit card number aliases with every purchase, masking your real number - this prevents vendors from stealing your credit card number, as the generated number is only valid for that one time purchase.

Messaging & Contact Key Verification

Messaging with friends and family is usually done via iMessage. Not by choice but because it’s just more convenient, preferably I would use something open-source and E2EE like Signal, Session, or SimpleX, but not enough people use those yet.

For iMessage I have enabled and set up Contact Key Verification with a few contacts to verify devices, this provides some extra security around account takeovers and you will be warned if a message is coming from an unverified device. But, it is a slow and manual process to verify each individual contact, and trying to explain to everyone the benefits of contact key verification is really difficult.

Details about Contact Key Verification from Apple Security Engineering

iMessage is not perfect, but it seems to be the lesser of evils compared to services like WhatsApp, Messenger or Telegram which claim to be E2EE but are tracking a lot of extra metadata about you.

Emergency Sheet & Backups

When using password managers, email aliases, and authenticator codes, it is important to have a solid strategy for doing periodic backups of this data because if you lose access to it one day, it will cause endless problems.

I have two methods of backups, and both are encrypted in different ways.

My primary backup method is using my personal server and database that I have hosted in an undisclosed data center. I have created a personal app that takes any data I want and encrypts it using a provided encryption key. The encrypted data is stored in my database and no encryption keys are stored with the server or database. This ensures that even if there’s a data breach, all the data would be encrypted without possibility to decrypt.

The second method is using Proton Storage to store encrypted versions of encrypted exports from Proton Pass (Double encrypted!). I store the encryption keys elsewhere. Using Proton to store Proton data is probably not the most reliable way to mitigate the impact of downtime, but it’s useful as a secondary backup in case my primary goes down.

Finally, I create an emergency sheet. This is a paper sheet I keep in my house with master passwords and recovery codes in case I lose access to anything very important. This is a worst-case scenerio sheet, but it’s always good to have just in case.

Miscellaneous

There are a lot of other small things I do that don’t warrant their own section so I’ll just list them here quickly:

  • Turn on Advanced Data Protection for iCloud storage, which encrypts iCloud data, which is off by default. (Everybody should do this one, it’s easy and important)
  • Turn off location services on iPhone.
  • Reject any prompts for Data Tracking on apps.
  • Use VPN’s as often as possible to mask IP addresses.
  • Avoid products and services from Google and large tech company.
  • Use DuckDuckGo or Brave Search instead of Google Search.
  • Avoid any “always listening” smart-home products like Google Home or Amazon Alexa.
  • Use Firefox instead of Chrome.

I’m continuously improving my online security strategy so I may update this article periodically to add or remove items. I hope this article has exposed you to something new and I hope it encourages you to start improving your online security as well.