Introduction
Understanding security in theory is one thing—integrating it into daily life is another. In this module, we'll follow "Alex," a security professional, through a typical day to see how encryption and security practices are woven into both work and personal routines.
While Alex's security practices may be more rigorous than the average person's, they illustrate practical applications of many concepts covered throughout the Academy. You'll see which security measures might be worth adopting in your own life, based on your specific needs and threat model.
Note
This case study combines best practices from multiple security professionals. While comprehensive, not every measure is necessary for everyone. Consider which elements align with your personal threat model and security goals.
Morning Routine: 6:30 AM - 8:30 AM
Starting the Day Securely
Device Unlock & Initial Checks
Alex begins the day by unlocking their phone using biometrics (fingerprint). The phone has been configured to require a full passcode after restart, ensuring that biometrics alone can't unlock a powered-down device.
Security insight:
In many jurisdictions, biometrics have weaker legal protections than passcodes. A phone that's been powered off or hasn't been unlocked in 48 hours requires the full passcode rather than biometrics.
YubiKey Morning Security Check
After getting ready, Alex retrieves their two YubiKeys—one from a keychain and a backup from a secure home location. Each morning includes a brief check that the primary YubiKey is functioning correctly by touching it and seeing the LED light up.
Laptop Boot-up Procedure
Alex's laptop uses full-disk encryption with a strong passphrase, which must be entered at boot. After the system loads, they insert their YubiKey which is required for:
- SSH authentication for development servers
- PGP operations with Secure Mail Client
- Password manager access
First Email Check
Alex's first digital task is checking email in Secure Mail Client. The application automatically:
- Highlights encrypted messages first
- Verifies digital signatures on incoming mail
- Shows clear warnings for any unsigned messages
The YubiKey is required for decryption operations, providing an additional layer of security beyond just the software.
Morning Commute: 8:30 AM - 9:30 AM
Secure Mobility
Network Security on the Go
While commuting, Alex avoids public Wi-Fi networks. Instead, they use their phone as a mobile hotspot with:
- Strong WPA3 authentication enabled
- Hotspot name that doesn't reveal identity
- Automatic shutdown when not in use
For additional protection, a VPN is activated on both the phone and laptop, creating an encrypted tunnel for all internet traffic.
Secure Messaging for Time-Sensitive Communications
During the commute, Alex uses Signal for time-sensitive communications with colleagues. Signal provides:
- End-to-end encryption by default
- Disappearing message functionality for sensitive information
- Secure voice and video options when needed
Security insight:
Alex uses different communication tools for different purposes—PGP email for formal, documented communications and Signal for ephemeral or time-sensitive messages.
Work Morning: 9:30 AM - 12:30 PM
Professional Security Practices
Workstation Security
At the office, Alex connects their laptop to an external monitor while maintaining physical security:
- Privacy screen filter to prevent shoulder surfing
- Screen automatically locks after 5 minutes of inactivity
- YubiKey is removed when stepping away from the desk
- Manual screen lock (Windows+L or equivalent) when leaving even briefly
Client Communications via Encrypted Email
Much of the morning involves communicating with clients about security assessments. Alex uses Secure Mail Client to:
- Send encrypted reports containing sensitive vulnerability findings
- Verify client communications with their public keys
- Manage separate encryption identities for different classes of clients
For clients without PGP capabilities, Alex sends an unencrypted email with instructions for secure file retrieval from an encrypted file sharing service.
Code Signing and Authentication
When submitting code or documentation changes, Alex:
- Digitally signs all Git commits using their PGP subkey
- Uses SSH with YubiKey authentication for repository access
- Verifies build artifacts with checksums before deployment
# Configure Git to sign all commits
git config --global commit.gpgsign true
# Specify which key to use for signing
git config --global user.signingkey 3AA5C34371567BD2
Lunch Break: 12:30 PM - 1:30 PM
Security Doesn't Take a Break
Workstation Lockdown
When leaving for lunch, Alex follows a security routine:
- Lock workstation screen
- Remove YubiKey and take it along
- Store any sensitive physical documents in a locked drawer
Financial Privacy
For lunch purchases, Alex uses privacy-focused payment methods:
- Cash for small purchases to minimize transaction tracking
- For card payments, a privacy-focused card with minimal personal information
- App-based payments are linked to a separate email identity
Security insight:
Financial privacy is an often overlooked aspect of security. Payment data can reveal location history, habits, and associations.
Work Afternoon: 1:30 PM - 5:30 PM
Advanced Security Operations
Security Assessment Work
Alex's afternoon includes security assessment work. To maintain separation between client systems:
- Each client project runs in a separate virtual machine
- Network traffic is isolated and monitored
- Test credentials are stored in an encrypted vault with time-limited access
Document Security
When working with sensitive documentation, Alex ensures:
- All documents containing client data are encrypted at rest
- Sensitive PDFs are password-protected with strong unique passwords
- Document sharing occurs via temporary links with expiration and password protection
- Metadata is removed from documents before sharing externally
# Using exiftool to remove metadata
exiftool -all:all= -overwrite_original sensitive-document.pdf
Key Management Work
As part of regular security maintenance, Alex spends time:
- Reviewing key expiration dates in Secure Mail Client
- Updating any subkeys approaching expiration
- Checking key server for any unexpected key updates
- Rotating service credentials according to schedule
This maintenance window is scheduled weekly to ensure no keys or credentials expire unexpectedly.
Evening: 5:30 PM - 10:00 PM
Personal Security Practices
Home Network Security
Alex's home network includes several security measures:
- Separate guest network for visitors and IoT devices
- VPN configured at the router level for all traffic
- DNS-level ad and malware blocking
- Regular firmware updates for network equipment
Personal Communications
For personal communications, Alex maintains a separation of tools:
- Signal for secure chats with security-conscious friends
- PGP-encrypted email for sensitive communications
- Regular messaging apps for casual, non-sensitive communications
Close friends and family members have been helped to set up basic encryption tools.
Online Account Security
When using personal online accounts in the evening, Alex maintains security through:
- Dedicated browser profiles for different purposes (financial, social, work)
- Password manager with YubiKey 2FA for all accounts
- Hardware 2FA enabled for critical accounts where supported
- Regular privacy checkups on social accounts
End of Day: 10:00 PM - 11:00 PM
Shutting Down Securely
Device Shutdown Routine
Before retiring for the night, Alex follows a security shutdown routine:
- Full shutdown of laptop (not sleep or hibernate)
- YubiKey removed and stored in a secure location
- Mobile device charged in a separate room (not the bedroom)
- Quick visual inspection to ensure no sensitive documents are left out
Security insight:
Full device shutdown provides multiple security benefits: it flushes RAM that might contain sensitive data, requires full authentication upon restart, and protects against certain cold boot attacks.
Physical Security Check
The final security check includes:
- Verifying primary YubiKey is on person or in its secure storage location
- Confirming backup YubiKey is in its separate secure location
- Checking that any sensitive physical documents are properly stored
- Standard home security measures (doors, windows, alarm system)
Key Security Principles in Practice
Throughout Alex's day, we can observe several important security principles at work:
Defense in Depth
Security is implemented in multiple layers, so if one measure fails, others still provide protection:
- Full-disk encryption + secure boot + login + YubiKey
- Network encryption via VPN + application-level encryption
- Physical security complementing digital measures
Compartmentalization
Different activities are kept separated to limit the impact of any potential breach:
- Different browser profiles for different online activities
- Separate VMs for different client projects
- Different communication tools for different purposes
Usable Security
Security measures are integrated into daily workflow to ensure they're actually used:
- YubiKey always accessible on keychain
- Password manager integration with browser
- Automated security tools to reduce manual effort
Consistent Habits
Security is maintained through consistent routines rather than one-off actions:
- Regular device locking when stepping away
- Weekly key management maintenance
- Consistent shutdown procedures
Adapting These Practices to Your Needs
While Alex's routine represents a high-security approach, you can adapt these practices to your own needs based on your threat model:
Security Practices by Threat Level
Basic Security (For Most Users)
- Use a password manager with strong unique passwords
- Enable 2FA on important accounts (email, financial, social media)
- Use encrypted messaging for sensitive communications
- Keep devices updated and use automatic screen locking
- Be cautious with public Wi-Fi networks
Enhanced Security (For Privacy-Conscious Users)
- Use PGP email encryption for important communications
- Set up a VPN for regular internet usage
- Implement browser compartmentalization with different profiles
- Consider a hardware security key for critical accounts
- Use full-disk encryption on all devices
High Security (For At-Risk Users)
- Implement all of Alex's security practices as appropriate
- Consider air-gapped computing for extremely sensitive operations
- Use Tails OS or similar for anonymous computing when needed
- Maintain strict physical security procedures
- Regularly audit and test your security measures
Tip
Start by implementing a few security measures that address your most significant risks, then gradually add more as they become comfortable habits. Security is most effective when it's sustainable and consistently applied.
Conclusion
While Alex's day might seem security-intensive, many of these practices become second nature with time. The key is finding the right balance of security measures for your personal situation:
- Consider your threat model and implement security measures accordingly
- Focus on creating sustainable security habits rather than perfect but impractical measures
- Gradually increase your security posture as you become comfortable with basic practices
- Remember that even security professionals balance security with practicality
By observing how encryption and security tools integrate into a real-world routine, we can better understand how to apply these concepts in our own lives, adapting them to our specific needs and threat models.
Key Takeaways
- Effective security integrates multiple layers of protection (defense in depth)
- Practical security requires balancing protection with usability
- Consistent security habits are more effective than occasional intense measures
- Different activities may require different levels of security
- Adapt security practices to match your personal threat model