Casey Tunturi
Back to Garden

Encryption for the Earthbound

🐉

Encryption for the Earthbound

In a world where every message is scanned, every movement tracked, every relationship graphed by algorithms of control, privacy is not secrecy—it's survival. Encryption is the armor that protects the vulnerable, the shield that lets the hunted communicate, the lock that keeps the state from your recipes, your plans, your people.

This is practical cryptography for those who need it: activists, organizers, the earthbound communities building alternatives to extraction and empire. No math degree required. Just the will to learn and the need to stay free.

The Threat Model: Who Are You Hiding From?

Encryption only makes sense in context. Different adversaries require different defenses.

Threat Levels

Level 1: Corporate surveillance

  • Adversary: Data brokers, advertisers, tech platforms
  • Goal: Profit from your behavior, manipulate your choices
  • Defense: Basic encryption, privacy tools, minimal metadata exposure
  • Risk: Annoyance, manipulation, profiling

Level 2: Employer/institutional monitoring

  • Adversary: Bosses, school administrators, HR departments
  • Goal: Control behavior, punish dissent, monitor productivity
  • Defense: End-to-end encryption, compartmentalization, burner accounts
  • Risk: Firing, expulsion, blacklisting

Level 3: Law enforcement

  • Adversary: Local police, FBI, prosecutors
  • Goal: Evidence for prosecution, intelligence gathering, disruption
  • Defense: Strong encryption, metadata minimization, legal caution, security culture
  • Risk: Arrest, prosecution, infiltration, harassment

Level 4: State-level adversaries

  • Adversary: Intelligence agencies, military, authoritarian regimes
  • Goal: Total surveillance, preemptive neutralization, suppression of movements
  • Defense: Air-gapped systems, one-time pads, steganography, physical security, tradecraft
  • Risk: Disappearance, torture, assassination, mass surveillance

Level 5: Active targeting

  • Adversary: Nation-state with resources dedicated to your specific compromise
  • Goal: Your specific communications, your network, your destruction
  • Defense: Extreme compartmentalization, hardware tokens, Tails/Qubes, disposable devices, offline coordination
  • Risk: Everything

Most readers face Levels 1-3. This guide addresses Levels 1-4. Level 5 requires dedicated training and operational security protocols beyond this scope.

The Basics: What Encryption Actually Does

Encryption is math that scrambles data so only authorized parties can read it. Two fundamental types:

Symmetric Encryption

One key locks and unlocks. Like a physical key—if you have it, you can open the door.

Used for: Encrypting files, disk encryption, secure messaging (in some protocols)

Examples: AES (the standard), ChaCha20 (modern alternative)

Key management challenge: How do you share the key securely? Anyone who intercepts the key can decrypt everything.

Asymmetric Encryption (Public Key)

Two keys: one public, one private. The public key encrypts; only the private key decrypts. You can share your public key widely—anyone can encrypt to you, but only you can read it.

Used for: Email encryption (PGP), secure website connections (TLS/HTTPS), cryptocurrency

Examples: RSA (older, larger keys), Ed25519/X25519 (modern, smaller keys, faster)

The magic: You never share your private key. It never leaves your device. Mathematical relationship between keys makes this work—knowing the public key doesn't help you derive the private key.

Practical Tools: What to Actually Use

Messaging: Signal

Why Signal: Open source, end-to-end encrypted by default, metadata-minimizing, nonprofit funded, widely trusted by security researchers.

How it works:

  • Messages encrypted on your device, decrypted only on recipient's device
  • Signal servers can't read message content
  • Phone number required (privacy tradeoff for usability)
  • Disappearing messages available
  • Group chats encrypted
  • Voice and video calls encrypted

Best practices:

  • Enable disappearing messages (24 hours or less for sensitive)
  • Verify safety numbers (key fingerprints) with important contacts
  • Use registration lock (prevents SIM swap attacks)
  • Don't back up to cloud (defeats encryption)

Limitations:

  • Requires phone number (use Google Voice or similar for pseudonymity)
  • Centralized servers (could be compelled to log metadata)
  • Not anonymous by default

Email: PGP (Pretty Good Privacy)

Why PGP: Decentralized, no single point of failure, works with any email provider, standard for activist communications.

How it works:

  • Generate keypair (public + private)
  • Share public key widely (keyservers, email signature, website)
  • Others encrypt to your public key
  • Only your private key decrypts
  • Sign messages to prove identity

Tools:

  • GnuPG (GPG): The standard implementation
  • Thunderbird + Enigmail: Email client with built-in PGP
  • K-9 Mail + OpenKeychain: Android
  • iOS: Canokey, PGP Everywhere (limited options)

Best practices:

  • Keep private key offline (air-gapped device, hardware token)
  • Use subkeys for daily use, keep master key secure
  • Key expiration dates (can extend, limits damage if lost)
  • Revocation certificate (if key compromised, publish this)

Limitations:

  • Metadata not encrypted (who emailed whom, when, subject lines)
  • Complex key management
  • Easy to use wrong (replying unencrypted, forgetting to sign)
  • No forward secrecy (if key compromised later, old messages decryptable)

File Encryption

VeraCrypt (disk/container encryption):

  • Create encrypted volumes (files that mount as drives)
  • Plausible deniability (hidden volumes within visible ones)
  • Cross-platform
  • Use case: Sensitive documents, offline backups

GPG file encryption:

gpg --encrypt --recipient [key-id] filename    # Encrypt to someone
gpg --symmetric filename                        # Encrypt with password

LUKS (Linux disk encryption):

  • Full disk or partition encryption
  • Standard in most Linux distros
  • Use case: Protect laptop if stolen

Browsers and Web Privacy

Tor Browser:

  • Routes traffic through volunteer relays, hiding origin
  • Access .onion hidden services
  • Defends against traffic analysis
  • Slower, but private
  • Use case: Researching without attribution, accessing blocked sites

Firefox + Privacy Badger + uBlock Origin:

  • Blocks trackers
  • HTTPS Everywhere (redirects to encrypted connections)
  • Container tabs (isolate sites from each other)

VPNs (Virtual Private Networks):

  • Encrypt traffic to VPN server
  • Hides traffic from local network (coffee shop, employer)
  • Hides origin from destination websites
  • Does NOT anonymize (VPN provider knows who you are)
  • Use case: Public wifi protection, bypassing local censorship

Important: VPNs are not magic. They shift trust from ISP to VPN provider. Free VPNs often sell your data. Paid VPNs can be compelled to log. Tor is better for anonymity; VPNs are better for convenience and local protection.

Metadata: The Data About Data

Encryption protects content. Metadata reveals everything else:

  • Who you communicate with
  • When and how often
  • Your location
  • Your device type
  • Message size
  • Communication patterns

Example: Even if Signal content is encrypted, Signal knows:

  • Your phone number
  • Who you messaged
  • When
  • How often

Defense strategies:

  • Use multiple communication methods (don't put all eggs in one basket)
  • Minimize contact list exposure
  • Consider burner phones for sensitive coordination
  • Air-gapped systems for most sensitive planning
  • Face-to-face for highest-security discussions

Security Culture: The Human Layer

Encryption fails when people fail. Technical tools matter less than operational security.

The Principles

1. Compartmentalization: Don't mix identities, devices, or contexts.

  • Separate phone for organizing vs. personal life
  • Separate email for activism vs. work
  • Separate social media identities
  • Never cross the streams

2. Need-to-know: Only share information with those who need it.

  • Don't tell comrades details they don't need
  • Don't document what doesn't need documenting
  • Don't put names to roles unnecessarily

3. Verify, then trust: Confirm identity before sharing sensitive information.

  • Meet in person to verify Signal safety numbers
  • Use out-of-band verification (phone call to confirm key)
  • Watch for changes in keys (compromise indicator)

4. Assume compromise: Act as if your communications are being monitored.

  • Don't put in writing what you wouldn't say in court
  • Don't assume encryption is perfect
  • Plan for key compromise

5. No boasting: Security culture includes shutting down inappropriate talk.

  • "Don't ask, don't tell" for sensitive actions
  • Challenge people who overshare
  • Remove people who can't maintain security

What Not to Do

Don't:

  • Talk about illegal activities over unencrypted channels
  • Store sensitive documents unencrypted
  • Use the same password everywhere
  • Click suspicious links (phishing attacks)
  • Trust new people immediately
  • Use biometrics for device unlocking (can be compelled)
  • Post about ongoing operations
  • Bring phones to sensitive meetings (leave in Faraday bag or elsewhere)
  • Forget that your metadata is being collected

Advanced Techniques

Steganography

Hiding messages in plain sight—images, audio files, even text.

Use cases:

  • Getting messages past censors
  • Publishing whistleblower materials
  • Coordination under total surveillance

Tools:

  • Steghide: Embed data in images
  • OpenStego: Cross-platform steganography
  • Outguess: Statistical steganography (harder to detect)

Important: Steganography provides plausible deniability, not strong encryption. If suspected, messages can be extracted. Combine with encryption (encrypt first, then hide).

One-Time Pads

Unbreakable encryption—if used correctly.

Requirements:

  • Key as long as the message
  • Key truly random
  • Key never reused
  • Key destroyed after use

In practice: Almost never practical for digital communications. Physical exchange of pads required beforehand. Used for highest-security embassy communications, spycraft.

Air-Gapped Systems

Computers never connected to the internet.

Use case: Highest security—generating keys, storing secrets, planning sensitive operations.

Setup:

  • Old laptop, remove wifi/bluetooth cards
  • Boot from Tails USB (amnesic live OS)
  • Generate keys, store on encrypted USB
  • Transfer files via sneaker-net (physical USB movement)
  • Never connect to network

Security: No remote compromise possible. Physical access required to breach.

Plausible Deniability

Hiding that you're hiding something.

VeraCrypt hidden volumes:

  • Outer volume with innocent files
  • Inner hidden volume with sensitive files
  • Different passwords for each
  • If compelled to decrypt, show outer volume, keep hidden volume secret

Deniable encryption: Don't use standard encryption headers that announce "encrypted data here."

Dead Drops and Cutouts

Offline communication methods:

Dead drops: Physical location to leave messages—hollowed rocks, magnetic containers, etc. Pre-arranged locations, check for surveillance, leave nothing traceable.

Cutouts: Intermediaries who relay messages. Don't know content, just pass along. Compartmentalizes communication chains.

One-time pads: Written messages using pre-shared keys. Burn after reading.

Organizational Security

For Groups and Collectives

Role-based access:

  • Different levels of access to different information
  • Need-to-know strictly enforced
  • Technical role for security decisions

Secure meetings:

  • No phones in the room (Faraday bags or left outside)
  • Sweep for recording devices if high-risk
  • Designated note-taker, encrypted notes
  • No minutes for sensitive decisions

Secure file sharing:

  • Nextcloud with end-to-end encryption
  • OnionShare (Tor-based file sharing)
  • Physical encrypted drives for large files

Incident response:

  • Plan for compromise: who does what, how to communicate breach, rotating keys
  • Practice drills
  • Learn from mistakes without blame

Signal Groups Best Practices

Group creation:

  • Use ephemeral groups for actions
  • Disappearing messages mandatory
  • No real names in group names or member names
  • Verification of all members

Group hygiene:

  • Kick inactive members
  • Rotate groups periodically
  • Assume group membership is known
  • Don't discuss active operations in long-standing groups

Legal Considerations

Encryption is legal (mostly):

  • US: Legal to use, legal to develop
  • Some countries restrict: China, Russia, parts of Middle East
  • "Key disclosure laws": UK, Australia can compel decryption
  • Crossing borders: Devices may be searched, encryption may trigger secondary screening

If questioned:

  • Don't lie to federal agents (crime)
  • Don't answer questions (right to remain silent)
  • Ask for lawyer
  • Don't decrypt voluntarily (creates precedent)

Border crossings:

  • Travel with minimal devices
  • Use burner devices
  • Wipe sensitive data before crossing (restore from cloud after)
  • Consider that devices may be cloned

The Philosophy of Earthbound Encryption

The state wants total information awareness. Corporations want total consumer profiling. Employers want total worker surveillance. Encryption is the resistance—the technical assertion that some thoughts, some plans, some relationships belong only to those involved.

Encryption as mutual aid: Sharing knowledge of secure tools is like sharing seeds or recipes. It strengthens the network.

Encryption as prefiguration: Building the secure communication infrastructure we want to exist, practicing the privacy norms we want normalized.

Encryption as survival: For the hunted, the hunted, the organizers, the heretics—encryption is not abstract. It's the difference between freedom and cage.

The encryption is not the point: The point is what it enables—free assembly, free speech, free association, in an age of total surveillance. The tools are means. Liberation is the end.

Quick Start: Get Secure Today

Install immediately:

  1. Signal (messaging)
  2. VeraCrypt (file encryption)
  3. Firefox + Privacy Badger + HTTPS Everywhere

Configure today:

  1. Full-disk encryption on all devices
  2. Password manager (Bitwarden, KeePassXC)
  3. Unique strong passwords for everything
  4. Two-factor authentication (TOTP, not SMS)

Practice this week:

  1. Verify Signal safety numbers with important contacts
  2. Encrypt a file with GPG, send to comrade, have them decrypt
  3. Set up disappearing messages
  4. Establish security culture with your group

Maintain always:

  1. Software updates (security patches)
  2. Regular key rotation
  3. Security culture reminders
  4. Assume compromise, plan accordingly

Resources

Tools:

  • Signal: signal.org
  • VeraCrypt: veracrypt.fr
  • Tor: torproject.org
  • GnuPG: gnupg.org

Education:

  • EFF Surveillance Self-Defense: ssd.eff.org
  • Security Education Companion: sec-edu.github.io
  • CryptPad (encrypted docs): cryptpad.fr

Communities:

  • Riseup.net (radical tech collective)
  • May First (movement tech)
  • Local hacklabs and anarchist tech spaces

Remember: The tool is not the practice. Encryption works when people work together, verify each other, maintain discipline, and build security culture. Technical knowledge without operational security is false confidence.

Encrypt. Verify. Compartmentalize. Trust comrades, verify identity, and build the secure networks that outlast the surveillance state.

The math is on our side. The practice is up to us.