OPSEC Toolkit

A comprehensive guide to operational security tools and techniques.

OPSEC Methods
Content Obfuscation
Image Generation & Editing
Anonymity Tools
Virtualization
Privacy Protection
Cryptocurrency
Data Destruction
Miscellaneous
External Links
References
back to main guide

OPSEC Methods

Content Obfuscation

Text Rewriting Tools

Free Article Spinner - Basic and advanced paraphrasing.
RewriteTools - Simple article spinner.
SEO Tool Station - SEO-focused rewriter (use Tor after few attempts).
ChatGPT - "Rewrite this as..." prompt (censorship aware).
DeepSeek - Requires account (censored on sensitive topics).
- Offline Version Guide.
- LM Studio - For running models locally.

Protip: Doesn't hurt to write genuinely, act human and be human if doing HUMINT.

Multilingual Tools

Google Translate - For language conversion.

Google maps etc

Don't blur out your house, it'll make you stick out like a sore thumb; just go with the flow and be normal.

Image Generation & Editing

Generation Tools

Stable Diffusion WebUI - Local image generation.
- Civitai Model Repository - Use 1.5 models for older GPUs.
This Person Does Not Exist - Quick face generation (has watermark).

Editing Tools

Note

Some tools require at least minimum a CPU while others need a GPU that is NVIDIA.

Some my be hybrid and other haven't been tested, will mark as AMD and the untested as ???.

Will mark this as NV for Nvidia and CPU for reqs along with AMD and the untested.

Free Inpaint - Web-based inpainting
- Pair with Upscale Media
IOPaint (CPU/NV/AMD)
- Linux Launcher (same reqs)
DeepMosaics (CPU/NV)
- DeepMosaicsPlus (CPU/NV/AMD/???)
de-pixelate (???)

Cloaking tools

Fawkes - a facial cloaking tool that can run locally on Linux/Windows. Was tested on arch. See issue #191. The only downside with Fawkes is that sometimes it doesn't detect a face or the face can get detected by AI programs anyway. (???)
- Active fork. (same reqs)

Meta Tools

ExifTool - Metadata editing/stripping

Installation:

# Debian/Ubuntu
sudo apt update && sudo apt install exiftool

# Fedora
sudo dnf install exiftool

# Arch
sudo pacman -S exiftool

Encryption

VeraCrypt - Container/drive encryption.
LUKS - Hard drive encryption.
Keepassxc - Passwords and secure notes.
Restic - Secure File Backup
Kopia - Encrypted File Backup
Cryptomator - Encrypts your sensitive data in the cloud

Anonymity Tools

Ip Hiders and VPNS
- Tor Project

What is tor?:

"TOR is developed and maintained by the The Tor Project, Inc. When you look at the Tor Project's About Page, you'll notice that its an entity labeled as a 501(c)3; this is a type of nonprofit organization. Information about nonprofits can be found in their own set of databases. Check out GuideStar Pro and search for the the Tor Project to learn more about the foundation developing this web browser."(Indiana University Bloomington, 2024)¹

Mullvad VPN
- I2P
  - More info about it here
- Freenet (See below for Vulnerabilities)
  - A list of news articles listing vulnerabilities are within the external links section below feel free to read.

According to The Sacramento Bee

“the U.S. Attorney’s Office in Sacramento said two of them included a Lodi man, who was arrested for allegedly using the Freenet network to share child pornography, and a Solano County man, who was arrested for allegedly trafficking a 16-year-old girl who had been reported missing from Sacramento County” (The Sacramento Bee, 2025).²

Tor Also faced Vulnerabilities from either:

timing analyses³.
user error⁴.

"Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects applications that are properly configured to send their Internet traffic through Tor."

Note

There has been some talks about laws being passed around here and there about age verification and such being built INSIDE the OS; so far tails doesn't seem to comply with any of it; not sure about any other main distros and whonix is complying which is ironic.

Operating Systems
- tails OS - Live USB OS.
- Whonix - VM-based anonymity OS.

Note

Graphene is partnering with Motorola.

Phones
- Android
  - GrapheneOS - GrapheneOS is a privacy and security-focused mobile operating system based on the Android Open Source Project (AOSP). Can only run on Pixel phones.
  - LineageOS For those who cannot run grapheneOS but want to de-google.

Protip: Not storing information on mobile devices is the best OPSEC.

To try TailsOS (Insecure)

ISO image
- In conjunction you'll need to try one of these under Virtualization

Boot inside your favorite VM/Hypervisor and you should be good to go!

The reason why this isn't secure is that the host machine may be compromised and it defeats the whole purpose of TailsOS if you do this instead of installing it inside a USB. Only use this if you want to try the OS.

"Traces of your Tails session are likely to be left on the local hard disk. For example, host operating systems usually use swapping (or paging) which copies part of the RAM to the hard disk" (The Tails Project, n.d.). ⁵

I2P with TailsOS (not supported but is Amnesic)

🔧 Installation

Download the script from the GitHub repository:

git clone https://github.com/itsOwen/i2pd-tails-os.git
cd i2pd-tails-os

Enable admin privileges in Tails:
- At the Tails welcome screen, click "+" under "Additional Settings"
- Choose "Administration Password"
- Set a password and continue booting
Run the script:
- Open a Terminal (Applications > System Tools)
- Switch to root with:
```
sudo -i
```
- Navigate to the script directory and run:
```
./install_i2pd.sh
```
Wait for installation to complete (5-10 minutes)

🚀 Usage

After installation, you'll find these desktop shortcuts:

Enable I2P: Activates I2P functionality.
Disable I2P: Deactivates I2P and restores normal Tor-only operation.
I2P Console: Opens the I2P router admin interface.

To use I2P:

Click the Enable I2P desktop shortcut
Start the Tor Browser and Browse .i2p sites:
- For known sites: http://site.i2p (never use https:// only http://)
- For more reliable access: Use .b32.i2p addresses

To monitor I2P status:

Open the I2P console at http://10.200.1.1:7070

Usage and Considerations.

With I2P support, Install Docs.

How to verify an onion address

Find the pgp key

a good example is tortaxi

import the pgp keys and certify it

Verification

Decrypt and verify the sig

Core Limitations PGP uses "long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity" (Borisov et al., 2004, p. 1). This lacks perfect forward secrecy, allowing past messages to be decrypted if a key is later compromised, unlike desired short-lived keys. Digital signatures also create non-repudiation, where "a digital signature may be verified by anyone, and as such can be used to prove to a third party that Alice signed a message" (Borisov et al., 2004, p. 5), undermining privacy in personal talks.⁶

Ideal Properties Missing Social communications need "perfect forward secrecy and repudiability," the "opposite" of PGP's properties (Borisov et al., 2004, p. 1). PGP's keys expose historical messages to retroactive breaches, as "the compromise of Bob’s secrets allowed Eve to read not only future messages protected with that key, but past messages as well" (Borisov et al., 2004, p. 3). Signatures further limit candid exchange by enabling third-party proof of authorship.⁶

Virtualization

Virtualization Virtual machines running a full operating system.(Yale University, 2014)⁷

How It Works

Virtual Machines (VMs): Simulated systems that run independently on shared hardware or on the cloud.
Hypervisor: Software that manages VMs, directly on the CPU.⁷
- Type 1 runs directly on hardware (e.g., VMware ESXi).⁸
- Type 2 runs on an OS, typically a server.⁸

How secure are Virtual machines?

As stated on The University of Tennessee's webpage:

"While virtual machines offer valuable flexibility, they can also create security vulnerabilities if they are not properly configured" (University of Tennessee Office of Information Technology, n.d., para. 1).⁹

It can also depend on the host system. In an example the system gets compromised either physically or by a virus and the Virtual Machine is not secured inside a LUKS drive.

For LUKS, the user needs to enter the password typically in order to mount said drive so the Virtual Disk would be safe.

Types

Server: It is designed to operate on machines made of bare metal (The Linux Foundation).¹⁰ ¹¹
Desktop: Centralized desktops delivered to users, think amazon web service.¹²
- Can also be local use like virt-manager/KVM Hypervisors.

"Local desktop virtualization allows running a virtualization stack on a system physically accessible by the hypervisor, enabling the use of software on a specific OS without installing that OS by creating a virtualized instance"¹³.(Veeam, n.d.)

Network: Virtual network channels.
Storage: Unified storage from multiple devices.
Application: Apps run independently of the OS.

Benefits of a remote virtual machine

Better resource use.
Lower hardware costs.
Easy scaling.
Improved security.
Simplified backups and recovery.

Downsides of a remote VM:

Security risks.
Internet access only.

Use Cases

Core to cloud computing and enterprise IT, enabling efficient, scalable infrastructure management.

Benefits of a local virtual machine

Better Security.
Ease of Access.

Downsides of a local VM:

Hardware costs.
Single point of failure.

Use Cases

Personal use cases, such as videogames to isolation of a user environment.

Libvirt - Advanced Linux virtualization.
VirtualBox - Cross-platform solution.

Privacy Protection

Email Services

User/Email Generator - For ProtonMail/cock.li
- PROTIP: For Proton, you'll probably want to use a VPN as TOR will get flagged; use Mullvad. Cock.li is back up but you'll need to use an email client, use the ones suggested below.
Temp-Mail - Temporary email.
Username Generator.
cock.li.
ProtonMail.

Cryptocurrency

Monero (XMR) - Privacy-focused cryptocurrency.

Clients:

gupax A client that combines both p2p and xmrig to mine Monero; you can use existing wallets.
- stable build

Services/Wallets

Cake Wallet Isn't KYC and can be used on mobile and desktop with XMR.
XMR.CARDS A list of cards you can buy with XMR.
Monerica A list of services and goods you can buy with XMR.
kycnotme A list of services that are also not KYC.

Note

some services can in fact be KYC such as prepaid cards so keep this in mind (visa/paypal).

Data Destruction

DBAN - HDD wiping; VM. Not good for SSD's.
Arch Linux Wipe Guide Shows how to effectively wipe an SSD.
NVMe/SSD/HDD Nuke Script may brick your drives, trust me.
physical destruction last ditch effort, may be costly.

Miscellaneous

PrivacyTools.io - Privacy software/resources.
crypt.fyi - "Secure" data sharing, I say "Secure" because it's not safe on screenshots.
One-Time Pad Implementation.
Mouse-R - use with veracrypt for mouse entropy.

Zip

Random Address - Zip code gen for the US.

Warning

Do not commit fraud and get sent to collections. Or I'll yell at you.

Credit Card

Card Generator - Card Gen for fake numbers, you won't buy anything.
Privacy - Virtual Card, you can set limits, is KYC but that's a given seeing how it will be tied to a bank account.

Example from paypal, which also generates some fake numbers but gives you an idea. Still cannot buy anything.

Secure File Transfer Methods in TailsOS

Recommended Methods

Encrypted USB Drives
- Physical transfer with encryption
- No internet required
OnionShare (Built-In)
- Anonymous sharing via Tor
- Generates onion links
Tailscale Taildrop
- Encrypted P2P between devices
- Requires Tailscale setup
Persistent Storage
- Encrypted storage across sessions
- Optional VeraCrypt containers

Comparison Table

Method	Encryption	Anonymity	Internet	Best Use Case
Encrypted USB	Yes	No	No	Offline transfers
OnionShare	Yes (Tor)	Yes	Yes	Anonymous sharing
Taildrop	Yes	No	Yes	Personal device sync
Persistent Storage	Yes	N/A	No	Secure local storage

Security Notes

Always wipe metadata
Never transfer deanonymizing files
Avoid cross-OS transfers on same device
Protect encryption passphrases

OPSEC Pipeline for secure files

Database	Human Password	Contains	db2.kdbx	contains	veracrypt	contains
db1.kdbx	`password123`	db2.kdbx key-file	key-file	veracrypt key-file		files and docs

What I tend to do is save this in private notes inside simplex, I'd also recommend not saving your password as password123.

Desktop

db1.kdbx (human-memorable password), contains key-file. for db2.kdbx
- Grants access to:
  - db2.kdbx, varacrypt key-file
  - VeraCrypt container

SimpleX

Securely transfers db2 which contains the key-file
- Can upload/download from encrypted container.

Then if i need, I share it with another simplex note on my phone by connecting my own phone instance and the desktop as a chat. Then forwarding it to private notes. After that is done, I delete the convo for both but keep private notes for both adding in redundancy. just save inside simplex and desktop to reduce data remnants.

May also be a issue with classifed information according to the DoD.

For SSD's I'd recommend using LUK's or a container as securely erasing in traditional means is basically useless if you want to format the entire drive.¹⁴

You may also just send things to RAM with tmpfs and do a shutdown as it lets normal users write into it but isn't worldwide if configured correctly:

"Tmpfs is a file system which keeps all files in virtual memory. Everything in tmpfs is temporary in the sense that no files will be created on your hard drive. If you unmount a tmpfs instance, everything stored therein is lost" ("Tmpfs is a file system," 2001).¹⁵

However tmpfs maybe an insecure method without dm-crypt/LUKS due to SWAP.¹⁶

And there is the multi-user issue, can be solved with this line in fstab.¹⁷ ¹⁸

tmpfs   /www/cache    tmpfs  rw,size=1G,nr_inodes=5k,noexec,nodev,nosuid,uid=1000,gid=1000,mode=700 0 0

The reason why you need to create a tmpfs file-system instead of using /tmp is because it's a worldwide system in linux, any user can see what's in it just cannot rename or delete (only root can).

You may also need to use histcontrol to disable commands or disable history entirely.

Radicle

Use this docker image
Use git (you don't need github just use your hostname for email)

    git config --global user.email "hostmachine@mail.com" && git config --global user.name "anon anon"

Start up the container and enjoy.

docker-compose up -d && docker exec -it radicle-seed /bin/ash

stop the container if you want to purge it.

docker container stop radicle-seed && docker container rm radicle-seed && docker network rm radicle-network && docker volume rm radicle-data

version: '3.8'

services:
  radicle:
    image: ff0x/radicle:latest
    container_name: radicle-seed
    restart: unless-stopped
    environment:
      - RAD_ALIAS=anon
    volumes:
      - radicle-data:/app/radicle
      # Mount with read-write permissions to a physical drive
      - /value/value/value/value/value/value:/var/lib/radicle/targetdir:rw
    ports:
      - "8776:8776"
      - "8777:8777"
    networks:
      - radicle-network

volumes:
  radicle-data:
    name: radicle-data 

networks:
  radicle-network:
    name: radicle-network
    driver: bridge

Remember: The best OPSEC sometimes means not interacting with your target at all to avoid alerting them.

You also Didn't Have to Post That.

External Links:

Virtualization via Virtual Machines - blog post, September 18, 2017

The Linux Kernel Archives — tmpfs (August 23, 2024)

Ramfs, rootfs and initramfs — Linux Kernel documentation (October 17, 2005)

tmpfs(5) manual page — Arch Linux Man Pages (updated Sep 21, 2025, Linux man-pages 6.16)

DMCrypt - cryptsetup Wiki

cryptsetup - GitLab repository

cryptsetup(8) manual page — Arch Linux Man Pages(updated Aug 13th, 2025, Linux man-pages 2.8.1-1)

Chapter 29 Section 2 - Encrypting block devices using dm-crypt/LUKS - redhat documentation (2025)

dm-crypt - Archlinux Wikipedia (Updated on 21 June, 2025)

GrapheneOS: Frequently Asked Questions - supported devices

Using Tor Safely – Tor Browser Best Practices

Timeless Timing Attacks and Preload Defenses in Tor’s DNS Cache

Police plants own computers in Freenet, log IPs, makes arrest – Hacker10

Police departments tracking efforts based on false statistics – Hyphanet

A De-anonymization Attack against Downloaders in Freenet IEEE – 2024 Publication (IEEE Xplore)

Darknet bible (TOR NEEDED) | Public Archive of Darknet bible | A hosted git | Clearnet

tor.taxi

bash(1) General Commands Manual - HISTCONTROL (April 7th, 2025, Linux man-pages)

Carnegie Mellon University - Do not create temporary files in shared directories (Seacord et al. Aug 29, 2025)

/tmp.. A goldmine for pentesters (Mertens. Jan 20th, 2016)

It's easier than ever to de-censor videos - Level 2 Jeff (Apr 15, 2025)

Removing blur from images – deconvolution and using optimized simple filters - Bart Wronski (supersampling) (May 26, 2022)

What is supersampling (antialiasing technique)? - Hardware Knowledgebase (Mar 25, 2006)

References:

“Library Research Guides: Digital Privacy: Digital Privacy Practices.” Indiana University Bloomington, wayback machine, 7 July 2025, https://web.archive.org/web/20250208104257/https://guides.libraries.indiana.edu/c.php?g=1325689&p=9771453. ↩
The Sacramento Bee. (2025, May 7). Lodi man arrested in federal child pornography case, Solano suspect accused of trafficking teen. The Sacramento Bee. https://www.sacbee.com/news/local/crime/article305942121.html ↩
Irwin, K. (2024, September 20). Tor dark web browser users reportedly unmasked by police. PCMag. https://www.pcmag.com/news/tor-dark-web-browser-users-reportedly-unmasked-by-police ↩
Tor Project. (n.d.). Tor Browser best practices. Retrieved December 1, 2025, from https://support.torproject.org/tor-browser/security/using-tb-safely/ ↩
The Tails Project. (n.d.). Virtualization. Tails. Retrieved October 4, 2025, from https://tails.net/doc/advanced_topics/virtualization/index.en.html ↩
Borisov, N., Goldberg, I., & Brewer, E. (2004). Off-the-Record Communication, or, Why Not To Use PGP. WPES '04: Proceedings of the 2004 ACM workshop on Privacy in the electronic society (pp. 1-5). Association for Computing Machinery. ↩ ↩²
Yale University. “Virtualization.” yale, 17 June 2014, www.cs.yale.edu/homes/aspnes/pinewiki/Virtualization.html. ↩ ↩²
Kelley, Karin. “Cloud Computing Tutorial: Virtualization, Hypervisors, and VMware Workstation - Caltech.” pg-p.ctme.caltech.edu, 24 June 2024, pg-p.ctme.caltech.edu/blog/cloud-computing/virtualization-hypervisors-and-vmware-workstation. ↩ ↩²
University of Tennessee Office of Information Technology. (n.d.). Protecting your virtual machines. University of Tennessee. https://oit.utk.edu/security/learning-library/article-archive/protecting-your-virtual-machines ↩
The Linux Foundation. “XCP-ng Documentation.” Xcp-ng, docs.xcp-ng.org. Accessed 26 Sept. 2025. ↩
Vanderbilt University. “Virtual Servers.” Vanderbilt University, tdx.vanderbilt.edu/TDClient/33/Portal/Requests/ServiceDet?ID=147. Accessed 26 Sept. 2025. ↩
GeeksforGeeks. “What Is Hosted Virtual Desktops (HVD)?” GeeksforGeeks, 23 July 2025, www.geeksforgeeks.org/cloud-computing/what-is-hosted-virtual-desktops-hvd/#. ↩
Veeam. (n.d.). Local desktop virtualization. Veeam. https://www.veeam.com/glossary/desktop-virtualization.html ↩
"Layered Security." ScienceDirect, Elsevier B.V., 2025, www.sciencedirect.com/topics/computer-science/layered-security. Accessed 22 Sept. 2025. ↩
Rohland, C. (Original work published 2001, December 01). Tmpfs - a file system which keeps all files in virtual memory. Updated by Dickins, H., & Kosaki, M. (2010). Retrieved November 10, 2025, from https://research.cs.wisc.edu/adsl/Software/tratr/.scripts/tratr/Documentation/filesystems/tmpfs.txt ↩
FreeBSD Documentation Project. (n.d.). Encrypting swap. FreeBSD Handbook. https://docs-archive.freebsd.org/doc/13.0-RELEASE/usr/local/share/doc/freebsd/en/books/handbook/swap-encrypting.html ↩
The Linux Kernel Archives. (2025, May 17). tmpfs(5) - a virtual memory filesystem. Linux man-pages. https://man7.org/linux/man-pages/man5/tmpfs.5.html ↩
ArchWiki. (2025, September 28). tmpfs. https://wiki.archlinux.org/title/Tmpfs ↩

FilesExpand file tree

opsec.md

Latest commit

History

opsec.md

File metadata and controls

OPSEC Toolkit

Table of Contents

OPSEC Methods

Content Obfuscation

Text Rewriting Tools

Multilingual Tools

Google maps etc

Image Generation & Editing

Generation Tools

Editing Tools

Cloaking tools

Meta Tools

Encryption

Anonymity Tools

To try TailsOS (Insecure)

I2P with TailsOS (not supported but is Amnesic)

🔧 Installation

🚀 Usage

How to verify an onion address

Virtualization

How It Works

Types

Benefits of a remote virtual machine

Downsides of a remote VM:

Use Cases

Benefits of a local virtual machine

Downsides of a local VM:

Use Cases

Privacy Protection

Email Services

email clients

Android

Data Broker Opt-Out

Cryptocurrency

Services/Wallets

Data Destruction

Miscellaneous

Secure File Transfer Methods in TailsOS

Recommended Methods

Comparison Table

Security Notes

OPSEC Pipeline for secure files

External Links:

References:

Footnotes