Secure Mail Client | Academy /
All Topics Beginner Intermediate Advanced Download
Advanced 45 minutes

High-Risk User Protection

Understanding Elevated Threat Models

While security best practices are important for everyone, certain individuals and organizations face heightened risks due to their profession, activities, or access to sensitive information. This module provides specialized guidance for those operating under sophisticated threat models.

The protection of high-risk individuals requires a multilayered approach that addresses unique threat scenarios, adversary capabilities, and operational contexts. This comprehensive guide covers both technical and operational security components designed to safeguard those with elevated risk profiles.

High-Risk User Categories

Public Interest Professionals

  • Investigative journalists and reporters in conflict zones
  • Human rights defenders and humanitarian workers
  • Whistleblowers and confidential sources
  • Election monitors and democratic process observers
  • Independent media operators in restrictive regions

Political and Civil Society Actors

  • Political dissidents and opposition figures
  • Activists in authoritarian or surveillance states
  • Religious and ethnic minority community leaders
  • LGBTQ+ advocates in hostile environments
  • Environmental defenders confronting powerful interests

High-Value Targets

  • Corporate executives and board members
  • Government officials and diplomats
  • High-net-worth individuals and their families
  • Custodians of sensitive intellectual property
  • Security researchers studying state-level threats

Targeted Individuals

  • Victims of stalking and digital harassment
  • Survivors of domestic abuse and intimate partner violence
  • Public figures subjected to doxxing and swatting
  • Individuals under legal or political pressure
  • Witnesses in sensitive legal proceedings

Risk Assessment and Threat Modeling

The foundation of any high-risk security strategy begins with thorough threat modeling. This process involves identifying potential adversaries, their capabilities, motivations, and the specific vulnerabilities they might exploit.

Security Alert

The Five-Step Threat Modeling Process

  1. 1. Identify assets: What are you protecting? (communications, sources, physical safety, etc.)
  2. 2. Map adversaries: Who might target you and why?
  3. 3. Assess capabilities: What resources and methods can they deploy?
  4. 4. Analyze vulnerabilities: Where are your points of weakness?
  5. 5. Develop mitigations: Create layered defenses for each identified vulnerability

Adversary Capability Assessment

Before implementing security measures, it's essential to understand the capabilities and resources available to potential adversaries targeting high-risk individuals:

Adversary Type Capabilities Key Threats Defense Priority
Nation-State Actors
  • Zero-day exploits
  • Advanced persistent threats
  • Hardware interdiction
  • Legal coercion of service providers
  • Physical surveillance
  • Telecom infrastructure access
  • Border device seizure
  • Infrastructure compromise
  • Supply chain attacks
  • Sophisticated phishing operations
  • Long-term intelligence gathering
  • Firmware/hardware implants
  • Legal prosecution/persecution
 Extreme

Air-gapped systems, burner devices, in-person verification, compartmentalized operations
Sophisticated Criminal Groups
  • Commercial spyware
  • Ransomware/malware deployment
  • Social engineering
  • Purchasing exploits
  • Insider recruitment
  • Physical reconnaissance
  • Financial theft
  • Extortion
  • Account takeovers
  • Data breaches
  • Targeted malware attacks
  • Credential harvesting
 High

Hardware security keys, multi-factor authentication, encrypted communications, secure OS usage
Hacktivists & Ideological Groups
  • OSINT techniques
  • DDoS attacks
  • Credential stuffing
  • Public doxxing
  • Social media monitoring
  • Collaborative targeting
  • Reputation damage
  • Service disruption
  • Selective information leaks
  • Harassment campaigns
  • Privacy violations
  • Public exposure of sensitive data
 Moderate

Strong passwords, 2FA, privacy-focused services, minimal public footprint, pseudonymous accounts
Individual Attackers
  • Social media monitoring
  • Basic phishing
  • Physical tracking
  • Public info gathering
  • Malware purchase/deployment
  • Social engineering
  • Personal harassment
  • Stalking
  • Impersonation
  • Physical confrontation
  • Revenge scenarios
  • Reputational attacks
 Base

Private online accounts, careful location sharing, personal safety planning, privacy settings reviews

Threat Assessment Matrix

Security measures should be calibrated to match the specific threats you face. This matrix helps evaluate which protections are most important based on your adversary's capabilities and your vulnerability profile.

Risk Level Low Capability Adversary Medium Capability Adversary High Capability Adversary
Low Sensitivity Data
Standard

Basic security practices, HTTPS, standard encryption
Enhanced

2FA, encrypted messaging, device encryption
Elevated

Hardware tokens, separate accounts, minimal metadata
Medium Sensitivity Data
Enhanced

Strong encryption, 2FA, privacy-focused services
Elevated

E2E encryption, identity separation, secure OS
High

Hardened devices, access controls, minimal services
High Sensitivity Data
Elevated

Strong compartmentalization, encrypted storage, minimal exposure
High

Dedicated devices, advanced encryption, anonymous channels
Extreme

Air-gapped operations, maximum compartmentalization, advanced OPSEC

Security Alert

Risk Assessment First

Before implementing advanced security measures, carefully assess your specific threats. Over-securing can lead to usability issues and security fatigue, while under-securing leaves vulnerabilities. Tailor your approach to your actual threat profile.

Comprehensive Protection Framework

High-risk users require a layered, comprehensive approach to digital security that goes beyond standard best practices. The following framework addresses the specific challenges faced by those under elevated threat:

Identity and Access Protection Strategies

For high-risk individuals, protection begins with advanced identity management. This involves carefully structuring how you present yourself digitally and physically, with multiple layers of separation between identities to prevent correlation.

Identity Compartmentalization

Create distinct, separated identities for different contexts to minimize cross-contamination risks:

  • Public identity - For general professional or public-facing activities
  • Sensitive operations identity - For confidential communications
  • Emergency identity - Reserved for high-risk situations, known only to trusted contacts
  • Personal identity - For family and close friends, segregated from work
  • Transactional identity - Single-use or temporary identities for specific operations
  • Service-specific identities - Different identities for different digital ecosystems

Advanced Authentication

Implement multi-layered authentication strategies beyond standard 2FA:

  • Multiple hardware keys - Primary, backup, and emergency recovery keys stored in different locations
  • Time-based access protocols - Scheduled access windows for sensitive accounts
  • Location-based authentication - Requiring specific secure locations for certain operations
  • Duress indicators - Hidden authentication signals indicating coercion
  • Tiered access systems - Different authentication levels for different sensitivity operations
  • Multi-party authorization - Critical operations requiring approval from multiple parties

Implementing Identity Separation

Effective identity compartmentalization requires technical and operational measures to prevent cross-contamination:

Technical Separation
  • Dedicated devices for different identity contexts
  • Virtual machines with distinct networking configurations
  • Secure boot environments with amnesic properties
  • Non-overlapping network access (different VPNs, Tor circuits)
  • Hardened browser profiles with anti-fingerprinting
Operational Practices
  • Clean-room discipline when switching identities
  • Scheduled identity usage with buffer periods
  • Different linguistic patterns for different identities
  • Metadata awareness and minimization across identities
  • Regular identity review for correlation risks
Physical Controls
  • Distinct physical locations for different identity work
  • Physical device separation with secure storage
  • RF-shielded environments for sensitive operations
  • Visual privacy controls (screen protectors, private workspaces)
  • Environmental awareness and counter-surveillance practices
Example: Creating Isolation with Tails OS and Secure Mail Client

Advanced Email Security for High-Risk Users

For those facing sophisticated adversaries, standard email encryption practices need to be supplemented with additional security measures:

Enhanced PGP Practices

  • Air-gapped key generation - Create master keys on offline systems never connected to networks
  • Multiple subkey sets - Different subkeys for different identity contexts
  • Shorter key rotation cycles - Regularly refresh encryption subkeys
  • Encrypted key backups - Distributed, encrypted storage of master key material
  • Hardware-protected keys - Multiple security keys with touch verification

Metadata Protection

PGP doesn't protect email metadata. Additional measures are needed:

  • Anonymized email services - Providers with minimal logging and resistant to legal pressure
  • Tor-routed email - Access email exclusively through Tor network
  • Disposable identities - Time-limited or single-purpose email addresses
  • Irregular access patterns - Varied timing to avoid behavioral fingerprinting

Content Security

  • Nested encryption - Multiple layers of encryption for highest sensitivity content
  • Forward secrecy protocols - When available, prefer mechanisms providing forward secrecy
  • Code word systems - Pre-arranged verification and authentication phrases
  • Steganography - Hiding encrypted content within ordinary-looking files
  • Out-of-band verification - Secondary channels to verify message authenticity

Warning

Metadata Matters

Remember that standard PGP encryption doesn't hide who you're communicating with, when, how often, or the subject lines. In high-risk scenarios, this metadata can be as revealing as content. Additional protections like anonymizing networks and secure email providers are essential.

Advanced Device Security and Operational Controls

In high-risk environments, how you interact with technology becomes as important as the security measures implemented. Device security and operational protocols must work together to create a comprehensive defense system.

Device Isolation and Security

  • Device compartmentalization - Dedicated devices for sensitive operations
  • Air-gapped systems - Offline computers for key management and sensitive content
  • Secure boot environments - Boot from verified, encrypted media
  • Physical security controls - Tamper-evident seals, secure storage, and lock devices
  • Burner devices - Single-use hardware for highest risk communications
  • Surveillance countermeasures - RF blocking, camera covers, microphone disablers
  • RAM-only computing - Operations that leave no persistent artifacts
  • Side-channel protection - Mitigations for acoustic, electromagnetic, and power analysis

Operational Security Protocols

  • Out-of-band verification - Separate channels for authenticating communications
  • Emergency response planning - Procedures for suspected compromise
  • Travel security protocols - Border crossing procedures, temporary devices
  • Secure contact protocols - Methods for establishing secure first contact
  • Regular security audits - Methodical review of security practices
  • Counterintelligence awareness - Recognition of surveillance and social engineering
  • Canary systems - Tripwires to detect unauthorized access or compromise
  • Communication contingencies - Fallback methods if primary channels are compromised

Advanced Threat Defense Measures

For the highest risk scenarios, specialized operational and technical measures may be necessary:

Advanced Network Security
  • Tor bridges - Hidden entry points when Tor might be blocked
  • Pluggable transports - Traffic obfuscation to bypass DPI
  • Multi-hop VPN chains - Cascading VPN connections
  • DNS over HTTPS/TLS - Encrypted DNS lookups
  • Traffic analysis countermeasures - Padding, timing protection
Physical Defense & Travel
  • Faraday environments - Signal-blocking workspaces
  • Tamper-evident seals - For critical hardware
  • Clean travel devices - Minimal data when crossing borders
  • Remote device wiping - Emergency data destruction
  • Physical counter-surveillance - Detection and evasion
Emergency Protocols
  • Duress response - Actions under forced access
  • Compromise notification - Warning systems for contacts
  • Emergency credentials - Secure backup access
  • Resource connections - Legal and security support
  • Secure deletion protocols - Forensically sound wiping

Warning

High Security Requires Practice

The most sophisticated security measures are ineffective if not practiced regularly under low-pressure conditions. Conduct periodic drills of your emergency protocols, practice using secure systems until operations become routine, and regularly test your security assumptions. Security procedures that are too complex to execute reliably under stress will fail when needed most.

Implementing Secure Mail Client for High-Risk Users

Secure Mail Client offers advanced features designed specifically for users facing sophisticated threats. Here's a comprehensive guide to configuring SMC for maximum protection:

High-Security Secure Mail Client Configuration

Identity Management

  1. 1
    Create separate profiles for each identity context using the Profiles feature
  2. 2
    Configure identity-specific keys for each profile, preferably on separate hardware tokens
  3. 3
    Enable profile isolation in Settings → Privacy → "Strict Profile Separation"
  4. 4
    Set visual indicators for each profile to prevent context confusion
  5. 5
    Configure separate proxy settings for different profiles to prevent network correlation
  6. 6
    Set up emergency deletion for specific profiles under Settings → Security → "Emergency Actions"

Enhanced Authentication

  1. 1
    Configure hardware keys with touch-required policy for all operations
  2. 2
    Enable PIN expiration in Settings → Security → "Require PIN re-entry after inactivity"
  3. 3
    Set up duress PINs in Settings → Security → Advanced → "Configure Emergency Access"
  4. 4
    Enable automatic locking when security key is removed
  5. 5
    Configure multi-factor authentication by requiring both hardware key and biometrics
  6. 6
    Set up location-based authentication in Settings → Security → Advanced → "Location Policies"

Privacy Hardening

  1. 1
    Enable Tor integration in Settings → Network → "Route through Tor network"
  2. 2
    Disable remote images and all automatic content loading
  3. 3
    Enable secure memory in Advanced Settings to prevent memory scraping
  4. 4
    Set metadata minimization options including subject line encryption when available
  5. 5
    Configure anti-fingerprinting settings to prevent client identification
  6. 6
    Enable RAM-only mode for sensitive operations with no disk persistence

Advanced Secure Mail Client Configuration

For users facing the most sophisticated threats, these additional specialized configurations offer the highest level of protection:

Email Security Hardening

  • Encrypt internal cache - Settings → Advanced → Security → "Encrypt Message Cache"
  • Enable preflight checks - Verifies all security parameters before sending
  • Configure enhanced key verification - Requires out-of-band verification for new contacts
  • Enable dead-drop functionality - For high-risk communications
  • Configure communication scheduling - Send messages during high-traffic periods

Operational Settings

  • Configure offline key management - Air-gapped signing operations
  • Set up steganography options - Hide encrypted messages in regular files
  • Enable remote operation logging - Detect unauthorized access attempts
  • Configure security notifications - Multi-channel alerts for suspicious activity
  • Set up automated key rotation - Regular subkey refresh cycles
Advanced Secure Mail Client Command Line Configuration

Tip

Notification Security

For high-risk users, email notifications can leak sensitive information. In Secure Mail Client, go to Settings → Notifications → "High Security Mode" to disable preview content, sender information, and subject lines from notifications, while still receiving alerts about new messages.

Real-World Case Studies and Scenarios

Real-World Case Studies

Case Study 1: Protecting Investigative Journalists in Hostile Environments

The following case study is based on real security protocols implemented for investigative journalists working in regions with state-sponsored surveillance and threats to press freedom.

The Challenge

A team of investigative journalists needed to communicate securely with sources in a country known for aggressive surveillance, intimidation of journalists, and sophisticated digital monitoring capabilities. Sources faced potential imprisonment if discovered.

Security Implementation
Source Contact Initiation
  • Anonymous tip submission system using Tor-only accessible secure drop
  • Initial source verification through coded references and knowledge challenges
  • Graduated trust model with increasing security as relationship develops
  • Plausible deniability mechanisms at every contact stage
Communications Security
  • Dedicated air-gapped laptops with Tails OS for key management and sensitive communications
  • PGP keys generated offline with master keys never exposed to networked systems
  • Communication access exclusively through Tor network from public locations
  • Time-windowed communication periods arranged through one-time coded signals
  • Regular key rotation and identity compartmentalization
  • Steganography methods to hide even the existence of communications
  • Secure Mail Client configured in maximum security mode with hardware isolation
Operational Protocols
  • Counter-surveillance awareness training and procedures
  • Dead-drop systems for physical evidence exchange
  • Emergency response protocols for suspected compromise
  • Regular security audits and penetration testing of systems
  • Source protection plans including evacuation contingencies
  • Distributed storage of encrypted investigation materials
  • Real-time duress notification systems
Outcome

The security system successfully protected multiple high-risk sources over a three-year investigation. When two journalists were detained at borders, the air-gapped approach ensured no source information was compromised from their devices. The published investigation led to international sanctions against officials involved in human rights abuses.

Case Study 2: Activist Network in Surveillance State

This case study examines how a network of human rights activists operated securely in a region where internet access is heavily monitored and digital dissent is criminalized.

The Challenge

A network of 30+ activists needed to coordinate activities, share documentation of abuses, and communicate with international organizations while operating in an environment where digital communications were monitored, VPNs were illegal, and possession of encryption software could lead to imprisonment.

Security Implementation
Technical Infrastructure
  • Mobile-focused security with offline-first approach
  • Tor-based communications utilizing unlisted bridges
  • Pluggable transports to disguise encrypted traffic
  • Compartmentalized devices for different operational contexts
  • Secure Mail Client configured for maximum deniability
  • Air-gapped signing operations for sensitive communications
  • Decentralized verification systems for authenticating members
Operational Security
  • Cell structure with limited cross-cell knowledge
  • Physical verification protocols before digital trust
  • Regular secure device destruction and replacement
  • "Cold" and "hot" devices with strict separation
  • Micro-SD card based evidence collection with encrypted containers
  • Time-delayed communications to prevent traffic correlation
  • Multiple evacuation triggers with automated alert systems
Technological Innovation

The network developed several custom security solutions to address their unique threat model:

  • Disguised applications - Secure tools camouflaged as common applications
  • Covert signaling system - Using social media as a timing channel for coordination
  • Split-key verification - Requiring multiple trusted parties to authorize sensitive actions
  • Media authentication chain - Cryptographic proof of footage authenticity while protecting sources
Outcome

Despite multiple arrests within the network, the security architecture prevented the compromise of the wider group. The network successfully documented hundreds of human rights violations over two years, with evidence safely reaching international human rights bodies through secure channels. When facing increased risk, the emergency protocols allowed for rapid evacuation of five high-risk members.

High-Risk Scenario Responses

Scenario Immediate Response Recovery Actions
Suspected device compromise
  1. Immediately disconnect from all networks
  2. Power down the device completely
  3. Switch to pre-prepared backup device
  4. Alert security contacts using pre-arranged signals
  1. Revoke potentially exposed encryption keys
  2. Secure forensic analysis of compromised device
  3. Notify potentially affected contacts through secure channels
  4. Implement fresh identity compartments with new keys
Forced border device surrender
  1. Use pre-configured travel profile with minimal data
  2. Provide decoy accounts if safe to do so
  3. Use duress authentication if configured
  4. Comply with legal orders while protecting sources
  1. Consider device compromised permanently
  2. Activate new identities from backup location
  3. Perform security audit of all connected accounts
  4. Create new secure contact procedures
Suspected surveillance
  1. Switch to highest security communication methods
  2. Activate counter-surveillance protocols
  3. Implement irregular movement and access patterns
  4. Use backup devices and locations
  1. Security review with technical specialists
  2. Implement enhanced verification for all contacts
  3. Rotate to emergency communication channels
  4. Consider temporary operational pause
Source safety emergency
  1. Activate emergency response team
  2. Implement secure deletion of identifying information
  3. Engage pre-arranged legal support
  4. Use emergency one-way communication protocols
  1. Activate source protection protocols
  2. Consider early publication if it increases safety
  3. Engage trusted human rights organizations
  4. Implement geographic distancing where possible

Additional Resources and Support

Organizations Supporting High-Risk Users

  • Access Now Digital Security Helpline: 24/7 support for civil society and journalists
  • Committee to Protect Journalists: Safety guides and emergency response
  • Frontline Defenders: Protection resources for human rights defenders
  • Freedom of the Press Foundation: Digital security training for journalists
  • Electronic Frontier Foundation: Surveillance self-defense guides

Additional Security Tools

  • Tails OS: Amnesic incognito live system for high-security operations
  • Qubes OS: Security-focused operating system with strong compartmentalization
  • SecureDrop: Anonymous whistleblowing platform for secure document submission
  • Signal: End-to-end encrypted messaging with disappearing messages
  • VeraCrypt: Strong disk encryption with plausible deniability features

Warning

No Security is Absolute

Even the most sophisticated security measures can be defeated given sufficient resources, time, and determination. The goal is to raise the cost and difficulty of compromise to a level that exceeds the adversary's willingness or capability to invest. Regularly reassess your threat model and adjust security measures accordingly.

Conclusion

High-risk users require security measures that go far beyond standard best practices. The approaches outlined in this module represent a starting point for those facing serious threats, but each security implementation must be tailored to the specific threat model, operational context, and individual capabilities.

Remember that security is not a one-time implementation but an ongoing process requiring regular assessment, adaptation, and practice. The most sophisticated technical security can be undermined by operational mistakes, so training and protocol adherence are as important as the tools themselves.

Secure Mail Client provides the foundation for high-security email operations, but it must be part of a comprehensive security strategy that includes proper operational security, device management, and network protection.

In This Module

Share This Module

Related Modules