Disk encryption: for real this time
FileVault, BitLocker, LUKS, dm-crypt: what each one protects, and when. Off and hot-state modes. Recovery keys: where, how, never in plaintext.
Last reviewed May 27, 2026 General public
03 / 06
Devices
Laptop, phone, FIDO2 keys: what really works, what is performative, and how to harden without paralyzing yourself.
A device is a permanent trade-off between operability and exposure. This axis covers the hardware and software choices that have real impact on your attack surface: disk encryption (and its concrete limits), choosing a work phone according to your threat model, the “laptop that can be lost” philosophy, operational deployment of YubiKey and FIDO2 keys, reasoned OS hardening.
No generic copy-pasted checklist. Each article breaks down real trade-offs, identifies what is performative, and proposes measures by exposure level.
Hardening your OS: Windows, macOS, Linux
What's performative vs. what actually shrinks the attack surface. Standard account, signing, allow-listing, logs. Why 200-item checklists do more harm than good.
Last reviewed May 27, 2026 Business travelWork phone: Android, iPhone, or nothing
The right choice depends on your threat model. iPhone Lockdown, Pixel + GrapheneOS, BYOD vs dedicated. What MDM can actually do.
Last reviewed May 27, 2026 Business travelTravel laptop: the machine that can be lost
The philosophy of the 'loseable' laptop. Clean restorable snapshot. Mission data via cloud, never local. Re-image on return.
Last reviewed May 27, 2026 Business travelYubiKey and FIDO2 keys: everything they didn't tell you
Model selection. Multi-key setup (primary + backup + third party). Protocols: FIDO2/WebAuthn, PIV, OpenPGP, OTP. Lifecycle and reset.
Last reviewed May 27, 2026 Business travel