Finding a VPN that runs cleanly on an immutable OS like Fedora Atomic isn’t easy. The biggest challenge is a reliable kill switch that doesn’t require changing the system’s core files — tweaking iptables or nftables yourself is possible, but it’s not beginner-friendly. Most solid Fedora Atomic solutions rely on the command line, though some providers ship GUI clients that work within the OS’s layering model.
Swedish provider with RAM-only servers and a strict no-logs policy.
Lightweight Linux GUI client that works on Fedora Atomic; fewer features but everything essential — including a working kill switch — functions reliably.
Audited, no-logs provider based in Malaysia (outside the 14-eyes, and with no mandatory data-retention laws).
While Fedora Atomic isn’t explicitly listed, hide.me provides an excellent CLI client (written in Go) that runs on Fedora Atomic and includes a trustworthy kill switch.
Offers an official .rpm package that can be layered into Fedora Atomic via rpm-ostree, giving you access to their GUI and kill switch.
Pricing and renewal notes
ProtonVPN and NordVPN run promotions from time to time but tend to renew at full price — cancel before renewal if you don’t want to be charged more.
Windscribe and hide.me offer yearly discounts that guarantee renewal at the same promotional price, making them convenient if you don’t want to hunt for deals later.
OVPN also offers yearly pricing that renews at the discounted rate.
Mullvad never discounts; their steady pricing means you won’t be surprised by a higher renewal.
Quick recommendation
If you prefer GUIs and an easy test drive: try Windscribe (free tier).
If you prefer a privacy-first, consistent price: Mullvad.
If you’re comfortable with the CLI and want maximum reliability on Fedora Atomic: ProtonVPN or hide.me.
Like other Linux distributions Fedora does not track you, it is open source and gets security updates. You should go for Fedora instead of other distributions because they have a big community and they get funding and support from Red Hat, this guarantees that the distribution is not run by a single developer and it is not going to become abandonware. Another worthy distribution is Ubuntu but I weighted towards Fedora because Red Hat is based in the USA and Canonical, Ubuntu parent company is based in the UK where free speech laws are more restrictive and surveillance is more omnipresent, for security and privacy I consider Fedora to be better.
Steps to do after installing Fedora Atomic, notice that non Atomic versions use dnf, these instructions are specific of the Fedora Atomic version which is more secure.
Change font size to Large font by going to accessibility menu in Gnome
Make sure your operating system time is synchronised or 2FA apps won’t work. In Fedora you can set up NTS (Network Time Security) a more secure NTP (Network Time Protocol) by doing this:
Edit chrony.conf using the command line with:
sudo nano /etc/chrony.conf
Inside the file use the add the following NTS servers
server time.cloudflare.com iburst nts server 0.ubuntu.pool.ntp.org iburst nts server 1.ubuntu.pool.ntp.org iburst nts
Make sure this line is uncommented in chrony.conf
ntsdumpdir /var/lib/chrony
restart chronyd with:
sudo systemctl restart chronyd
If you want to check if chronyd has been configured correctly use:
5. Install KeePassXC using the official Fedora repository
6. Install WindScribe from their official VPN site.
7. Standard Notes has a non official Flatpak their official Linux app is only for Ubuntu, for security reasons is best not to donwnload the non official FlatPak and only use Standard Notes web version, the Brave browser will give you an option to install it as app.
8. Install Shotime, the video player known as “Video Player” in Fedora official repository, make sure it is the FlatPak version not distributed by Fedora as otherwise it will not come with non free codecs needed to play some files.
9. Install Safe the secure offline password manager based on KeePassXC, it can be downloaded from Fedora official repository.
10. Other applications to install are LibreOffice to have a full featured Word Editor, Pinta as a graphics editor, Document Scanner to scan documents with HP Smart Tank 5105, Peazip to extract files and DéjàDup to back up your data.
As much as Proton tries to market itself as a foundation they are no different from a big corporation when it comes to profits and marketing. Let me give you some examples of this:
They lure paying users with steep introductory discounts available for new customers only and prices surge significantly after the first year. This “bait-and-switch” tactic leaves many users facing renewal rates 2-4x higher.
Posts in ProtonVPN’s official subreddit are not visible without moderator pre-approval and they frequently remove critical comments under vague pretexts like being off-topic or already posted, this creates an echo chamber where positive experiences dominate.
Proton pays money to influencers to promote some of their services, the pay for sign up model leads to biased endorsements.
Reference: YouTuber “The Hated One” Exposes Proton’s Shady Tactics: In his November 2025 video, he reveals Proton offered him $70 per signup to shill their services—but after rejecting the deal and requesting a CEO interview instead, Proton ghosted him completely, ignoring all follow-ups.
ProtonMail has cooperated with law enforcement in several documented cases where they hand over the recovery email address you enter when you open your account with them, Proton is fully aware that the recovery email is not encrypted and handed over when they are subpoenaed, they justify themselves by saying that the user entered it and what not but the fact is that they know about this security hole and do nothing to address it.
Swiss privacy laws are comparable to those of the European Union, you are not safer by Proton being based in Switzerland instead of Germany. As an example in 2021 ProtonMail was forced by a Swiss Court to do real time IP logging of a French climate activist occupying buildings.
And finally a politically charged argument: Proton announcing in their X account that they had donated $100,000 to the Palestinian Red Crescent right when Israel was defending itself from Islamic terrorists, as European who stands 100% behind Israel this feels like a betrayal, I want my money to be spent aiding Israeli civilians and not on Gaza under Hamas control, I won´t be supporting any company that gives money to Gaza.
To help alleviate the humanitarian disaster in Gaza, Proton has donated $100,000 to the Palestinian Red Crescent Society and other aid organizations working on the ground.
Today I sideloaded TubiTV to my Smasung smartTV, if you live in a country where TubiTV is available you don´t need to do any of this, the instructions are only for people being geoblocked by TubiTV, as a side note, this should work for many other apps like LiveOne.
I will describe my hardaware because depending on hardware things might change, I am using a Samsung smartTV with an Android TV box, brand “Strong”, based in Austria but owned by a Chinese conglomerate, they are not one of the cheapest Android set up boxes out there but you know it won´t come loaded with malware as it is a well known brand within the Android set up boxes community, and more important, it runs Android 11, which makes it harder to install unauthorized software.
You will need an Android phone too, these are the instructions to sideload TubiTV to your smart TV.
Download the app SendFilesToTV from the official Google play store to your smartphone and to your smartTV, the app must be installed in both devices.
With your phone go to the alternative Google playstore UpToDown and download any app, for example TubiTV, this will be a .apk file.
In your smartphone click on the Send Files To TV app, click the button that says “Send” browse your .apk file downloaded from UpToDown and select sending it to your set up Android box which will show up in the destination if you are in the same Wi-fi network, this only works if your smartphone and the Android set up box are both in the same network.
Go to your smart TV open the Send Files to TV app, click on Receive and you will see the .apk file, click on it and pick install, you will be prompted to change one security setting to be able to install it, the instructions are very clear, read the screen and change the setting UpToDown tells you, after this you will have UpToDown installed in your smartTV.
Open the alternative Google PlayStore you just installed in your smartTV, go to media and you will find TubiTV and thousands of other apps, now you can pick any app you want and install it without having to use any work around.
For security uninstall SendFilesToTV after leaving a review to the developer if everything has worked for you, the app is free at the very least you could leave a review right? You can use other alternative Google play stores like ApkMirror, a Chinese company but my favourite store is UpToDown for no other reason that I don´t trust the Chinese government when it comes to privacy and security.
Needless to say that you will still need a VPN to watch TubiTV, you can try WindScribe for free without payment asked and see if it works for you, they support streaming, or pick your own VPN. English speaking countries where TubiTV is known to work: United States, Canada, Australia, United Kingdom.
Posteo is a paid privacy email provider based in Germany. I signed up with them after a recent Fastmail price increase and my concern about Fastmail being an Australian company with servers in the USA.
I briefly considered Yandex, a free Russian email service with interface in English, but it does no good to me to trade NSA illegal spying for Russian Federal Security Service (FSB) illegal spying.
I came to the conclusion that all countries spy and the only way I was going to protect myself from that is by using an email service that is transparent about logs, has encrypted storage with the email provider locked out of them, with no access to the keys, and end to end encryption. What is known in the privacy industry as zero knowledge, and if the company is based out of the Five Eyes wiretapping alliance (UK,US,CA,AUS and NZ) even better.
Posteo fulfilled all the requirements I had in mind and I also liked that they do not have a Facebook page, it shows they really care about customers privacy.
How to open a Posteo account
Opening an account with Posteo took me around one minute, the company does not want to know your name, address, back up email or phone number.
You only need three things to sign up for a Posteo account:
Pick a username
Pick a password
Pay with cash, Paypal, wiring, credit card or voucher (payment methods are anonymised)
Posteo payment
I used Paypal to buy the account, I know Paypal stores all transactions for years and the NSA probably has a direct feed to them but the transaction does not show your Posteo email address, the only available record in Paypal is the date and amount of money you sent to Posteo, your inbox or username is never printed anywhere in the receipt.
Posteo Paypal payment (5 years prepaid)
Futhermore, Posteo payment system automatically assigns a code to the inbox so that usernames can never be linked by the company with a payment. Tax laws compel Posteo to keep payment information for 10 years, this includes your name if you used bank transfer o Paypal to buy the account, but it never includes what your email address is and if the company was asked for this they are unable to provide the information, there is no law forcing Posteo to keep that data.
Specific details on how your payment is anonymized is very well explained with screenshots within Posteo’s FAQ.
One of my favourite things from this company is that their help pages disclose in plain English (German&French) the security measures they take to protect customers from illegal spying by government agencies, what logs Posteo keep, how long for and what happens if they receive a subpoena, as well as some background information about Germany privacy laws.
There are no trial Posteo accounts, payment is taken from day one, but if you are not happy with the service you have the right to revoke it within 14 days and credit will be refunded.
If I had to criticise anything from the payment system is that they do not accept Bitcoins.
Posteo email basics
You can access your email via web, IMAP or POP3, attachments are a generous 50MB and the initial inbox is 2GB with a couple of aliases, all of this can be increased according to needs.
Posteo has a single basic email package that is prepaid, if you feel like you need more storage space or more email aliases you can go to account settings and move a slider bar to add extras, as you do this the screen shows you how much more this will cost you, for example, an alias currently costs €0.10 a month, if you need four email aliases that is €0.40 more a month, if you no longer need them next month, you delete it and monthly price comes down again.
The way Posteo pricing is set up you don’t have to pay for things you don’t need, you customize it to your needs, it works out cheaper than paying for an oversized email package that subsidizes heavy or business email users.
The account includes a decent online calendar, that can be optionally be shared with a public URL, address book and notes, all of which can be encrypted, in which case sharing is no longer be possible.
Posteo email calendar
Consider carefully if you need your inbox encrypted, after you enable it some functions like email searching will no longer work and if you lose your password Posteo support can reset your account but you will not be able to read your old email messages without your old password as Posteo has no way to decrypt them.
For example, because I only plan on using Posteo in the browser I activated the additional email account protection that eliminates IMAP access, and this stopped notes from autosaving so I had to reactivate it. Next to each encryption setting you will see a box that tells you what features stop working if you choose security over functionality.
Posteo email security
There are a ton of security measures, and nearly all of them can be configured, Posteo is ideal for advanced privacy email users that like to have control and spend time tinkering with their security settings. It took me a good couple of hours of reading understanding all that Posteo had to offer.
This company is one of the first email providers to implementing DANE, a DNS based authentication method that checks the digital certificate fingerprints of other email providers, this detects bogus certificates replaced by sophisticated hackers, state sponsored operatives have been known to do this trick in the past.
For DANE to work other email providers must support it too, when sending an email to somebody a small green check box in Posteo let’s you know if the server you are communicating with is DANE compliant. Tutanota supports it and Protonmail has plans to have DANE this year, but the big NSA back doored email providers, like Gmail, Yahoo and Outlook, have no DANE support.
Encrypted email provider Posteo
Another setting activates a TLS-sending guarantee, with the checkbox ticked your messages will not be delivered to any TLS insecure email server, if Posteo comes across one you get a warning and have the option of sending the message without proper encryption in transit or not sending it.
To use PGP you need to install MailVelope addon browser, after that a new button that says “Compose&Encrypt” magically appears in the webmail interface.
You can add your public encryption key to Posteo keyserver and activate “encrypt all incoming email“, this means that all messages you receive will be automatically encrypted with your own PGP key at the door, on top of the encrypted inbox.
You might want to do this if you don’t trust Posteo’s own encryption, you add an extra layer with your own keys, however if you lose your private keys you will not be able to read the messages again and every time you click on an email in your inbox you are required to to enter the decryption password in MailVelope.
I found incoming encryption too burdensome, I would only propose it to the most paranoid kind not concerned with quick email access.
Posteo PGP encryption Mailvelope
Hat tip to Posteo for automatically bouncing my public encryption key back to my inbox with a warning that it did not conform to security.
During key generation I made the mistake of adding my first name to the public encryption key and Posteo very rightly rejected it in their keyserver as the name can be used to track down your identity, I was only able to add the key to the server after changing the name field with a non descriptive text, like my email address.
Two factor authentication is possible too, Posteo works with any open standard TOTP app, like Google Authenticator, but the company recommends FreeOTP because it is open source (developed by Fedora), or if you own a Yubikey you can use it for two factor authentication, the help pages come with clear instructions and screenshots about how to set it up.
Posteo downsides
It put me off Posteo that they don’t own the .com of their email address, I had people in the past sending me messages to a .com version of my address, it is a common mistake many people do. I find it very short sighted that a company like Posteo, offering a choice of 30 different domain names for your email aliases, does not have a single neutral .com that you can pick for an email address. You can have a @posteo.af address, country code from Afghanistan, and a @posteo.jp country code from Japan, but .com is not an option.
I would have appreciated a non descriptive .com domain which URL does not resolve to Posteo homepage that can be used as an alias.
Another downside for me is that Posteo does not have a Spam folder and you can not have one. Posteo drops all spam silently and you must trust they do it correctly.
My experience with email providers so far has been that no spam filter is 100% perfect and I have no way of finding out if a message is not getting to my inbox because it was flagged as spam by mistake or because it was never sent.
You can whitelist addresses in the filter but there is no way of whitelisting something you don’t know about.
Posteo advantages
Posteo comes with Mailvelope preconfigured, after installing the addon in my browser a new encryption button appears in the webmail interface and this gives me the ability to communicate with other PGP users holding my own encryption keys instead of Posteo doing that.
The encrypted email inbox and being able to encrypt all incoming messages with my own private encryption keys is a huge perk too.
Posteo message filtering
It takes time time to encrypt messages yourself, entering passwords, selecting the right keys, etc, if you are tight on time and security is not that important for you it might be best that your email provider does all of that, but if you want to err on the cautious side and trust nobody with your encryption keys, owning your own keys is they right way to do it.
I also liked the email filtering, being able to file messages into folders as they arrive, according to subject, sender, etc.
Posteo support
Support is not suited for businesses, but I think that an individual will be ok waiting one or two days for a reply. You can contact Posteo by email during German working hours.
I sent Posteo support an email to ask a question about my settings and it took 24 hours to get a reply that solved my question.There is no ticketing system, this might unnerve some people, because you keep wondering if the email was ever received, but not having a ticketing system is advantageous for those who value privacy and a very good idea
The company barely keeping records of anything means that the information can not be lost or stolen and you can always check the “sent receipt” box if you email support, this way you will know they have received your inquiry.
Posteo vs Protonmail
I like Protonmail design and them forcing two different passwords to access the encrypted inbox. The main reason why I did not buy a Protonmail premium account is that their paid accounts cost five times more than Posteo. Protonmail has a bigger inbox but I wasn’t going to use it.
It also put me off a bit knowing that in 2015 Protonmail had paid ransom to some cybercriminals DDoS their servers, it shakes my trust on how much of a fight the company is willing to put up for what it is right when I see Protonmail selecting the easy way and pay up to avoid problems.
Posteo vs Tutanota
I was really close to buying a Tutanota premium account, they offer more aliases than Posteo, both companies are based in Germany, and cost the same, plus I like a couple of features Tutanota not found in Posteo, like being able to send links to password protected messages.
I finally went for Posteo because of their Mailvelope pre-configuration and because I wanted a company that will not go bust. Posteo has been around for more years than Tutanota and they do not offer loss making free accounts which makes it more likely that they will survive.
Posteo review conclusion
If you are comfortable managing your own PGP encryption keys, want an email service with an encrypted inbox that does not keep logs or records your identity and it comes with lots of features at a cheap price, I think that Posteo is unbeatable, far cheaper than other paid providers (€12/year).
You should also pick Posteo for an email provider with calendar, notes and aliases that will respect your privacy and if you need a mailing list provider, this is still in beta but it should be rolled out soon.
But if you rather have your email provider do to all PGP encryption for you at the back end don’t pick Posteo and if you wish to pay with Bitcoins Posteo should be out of limits for you too.
Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.
The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.
The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.
Yubikey Neo and Edge
Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.
Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.
Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything a manufacturer says when they are trying to sell a product is not clever.
Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.
Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.
The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.
I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.
The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.
Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.
Yubikey Edge and Yubikey Nano with NFC
Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.
Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.
Conclusion Yubikey review
I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.
The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.
Promising project, too bad it can’t be used as intended anywhere meaningful.
SecureGmail is an open source Chrome browser extension to encrypt and decrypt Gmail messages with one click. After installation you will see a red padlock next to the compose button in Gmail, clicking on it will launch the compose window with a red bar that says “Secured“. Unlike other encryption extensions, SecureGmail does not allow Google servers to keep a draft of your message and encryption takes place in your browser, Google will be unable to read anything other than scrambled text, however, attachments are not encrypted, SecureGmail only works for text.
You will be asked to enter a password after you have written the email and, optionally, a password hint. You will have to either, transmit the password to the receiver by secure means, or enter a password hint that the receiver can easily guess. When the other end receives the message he will see scrambled text and a warning saying “This message is encrypted, decrypt message with password“.
encrypted Gmail messages SecureGmail
The strength or SecureGmail is that Google is kept out of the equation by not giving the company any way to read plain text, SecureGmail open source code allows others to check for bugs and email encryption is extremely easy and quick, but there are also many SecureGmail downfalls, the first one is that both parts must have the same extension installed to be able to encrypt and decrypt data, the second problem is that sender and receiver must be both using the same browser, SecureGmail only works in Chrome, and a third obvious problem is that the password has be transmitted, this will encourage people to reuse passwords and it will reduce security.
SecureGmail can be useful for an organisation that has their email hosted by Gmail, but only for staff conversations as sending email to outsiders would be sure to slam against one of the problems highlighted above. If you need a way to encrypt email that can be delivered anywhere, consider learning about PGP and Enigmail or download the Mailvelope extension.
People concerned about privacy should not be using Gmail, but if you do, encrypting it will give the NSA some work to do in between reading clear text messages. Encryption can not protect you from the who is communicating with who server metadata, trying to fool the NSA using Gmail is like trying to win the lottery by praying to Allah, a total waste of time.
There are plenty of reasons not involving national security about why you will want to encrypt your email messages, like not wanting readable email messages stored in your inbox for ever and protecting yourself from embarrassment if a typo sends an email message to the wrong inbox. In scenarios where metadata collection is not an issue, an extension that encrypts email is adequate protection.
