Security
Last updated: September 17, 2025
Defaults (Zer0)
- Bootloader locked, verified boot (green), FDE enabled.
- Minimal pre-installs; FOSS-first; firewall baseline.
- Optional always-on WireGuard with kill-switch.
OPSEC ladder (overview)
[1] Personal -> [2] Social/Work -> [3] Corp/Cybercrime -> [4] Activist
-> [5] State-level -> [6] Global actors
Table: category - Zer0 setup highlights
┌────┬─────────────────────┬──────────────────┬────────────────────────────┐
│ ID │ OS choice │ Network │ Key Zer0 tools/settings │
├────┼─────────────────────┼──────────────────┼────────────────────────────┤
│ 1 │ Calyx (microG OFF) │ No VPN or on-dmd │ Lock PIN>6; notif hide │
│ 2 │ Calyx (microG OFF) │ WG ON │ Shelter work profile │
│ 3 │ Calyx or Lineage │ WG ON + strict │ Aegis+KeePass; Wi-Fi hard │
│ 4 │ Lineage (no microG) │ WG ON; Tor apps │ Travel-mode; SIM rotate │
│ 5 │ Lineage (no microG) │ WG ON; SIM hygn │ Biometrics off; USB lock │
│ 6 │ Lineage (no microG) │ WG ON; Tor sel │ Verify, wipe, rotate, test │
└────┴─────────────────────┴──────────────────┴────────────────────────────┘
Detailed recommendations (how to use Zer0 for each category)
[1] Personal Privacy (low threat)
- OS: CalyxOS; microG/sandboxed Play OFF.
- Lock: PIN >= 6 digits; auto-lock <= 30 s; hide lockscreen previews.
- Apps: Signal; KeePassDX; Simple Keyboard; Organic Maps.
- Network: No VPN or on-demand WireGuard; avoid unknown Wi-Fi.
- Zer0 tools: zer0-first-boot (guided), zer0-backup (local encrypted).
- Notes: Keep app count small; avoid cloud backups for sensitive chats.
[2] Social & Workplace Privacy
- OS: CalyxOS; microG OFF (enable only if a work app hard-requires it).
- Profile: Shelter for work apps; keep work profile radio-restricted.
- Network: Always-on WireGuard + kill-switch; DNS-over-TLS.
- SIMs: Separate number for work; calls on prepaid SIM only.
- Zer0 tools: zer0-rotate (work/personal compartments), zer0-wg-test.
- Apps: K-9 Mail + PGP; Aegis; KeePassDX; Syncthing for local sync.
[3] Corporate and Cybercrime Threats
- OS: CalyxOS or Lineage-based; microG OFF.
- Network: Always-on WireGuard; block unknown Wi-Fi; forget stale SSIDs.
- Apps: Compartmentalize risky apps in Shelter; per-app network blocks.
- SIMs: Data over eSIM; voice/SMS sparingly; rotate on exposure events.
- Zer0 tools: zer0-rotate (quarterly review), zer0-backup, zer0-wg-test.
- Extras: Browser isolation; unique email aliases; 2FA everywhere.
[4] High Social Risk (activists, journalists)
- OS: Lineage-based (no microG).
- Lock: Biometrics OFF; long PIN; USB restricted.
- Network: WG always-on; Tor Browser for research; Orbot per-app.
- SIMs: Prefer data eSIM; rotate per Docs: SIM Rotation; avoid voice.
- Travel: Use zer0-travel-mode before borders; radio discipline.
- Zer0 tools: zer0-first-boot, zer0-rotate, zer0-wipe (incident ready).
[5] State-Level Persecution
- OS: Lineage-based; strict minimal apps; microG OFF.
- Lock/radios: Biometrics OFF; airplane mode unless needed; Wi-Fi/BLE OFF.
- Network: WG always-on; use trusted Wi-Fi only via WG; Tor for research.
- SIMs: Burner eSIMs; rotate frequently; keep patterns unpredictable.
- Zer0 tools: zer0-travel-mode (USB off, stricter lock), zer0-wipe, zer0-config-export for fast re-provisioning, zer0-verify regularly.
[6] Global/Nation-State Threats
- OS: Lineage-based; minimum apps; rapid patch cadence.
- Verification: Verify manifests and signatures for every image (zer0- verify). Keep devices updated promptly (+7 days from upstream).
- Network: WG always-on; Tor selectively; never mix identities.
- SIMs: Aggressive rotation; out-of-band comms where possible.
- Zer0 tools: full suite (verify, rotate, wipe, first-boot, wg-test).
- Note: We focus on hardened workflows and verification, not custom firmware.
ASCII: radio discipline quick view
Radios [Cellular:ON when needed] [Wi-Fi:OFF] [Bluetooth:OFF] [NFC:OFF]
Limits and caveats
- Baseband remains proprietary; telecom tracking persists.
- Operational mistakes defeat security; rehearse incident response.