You Installed the Privacy Stack. Now Harden It.
Signal, ProtonMail, Brave, GrapheneOS, and Tails don't ship fully locked down. Here's every setting you should change — and what each one actually does.
Switching to privacy tools is step one. Configuring them is step two — and most people skip it.
Signal ships with disappearing messages off. ProtonMail leaves remote image loading on. Brave’s default search engine is still Google in some regions. GrapheneOS gives you network permission controls that 90% of users never touch. Tails boots into an amnesic environment, but persistence is a manual setup that changes the threat model entirely.
These tools are built by people who care about privacy. But they’re also built to be usable out of the box, which means the defaults balance privacy against convenience. If you’re reading this, you probably want the balance shifted.
We covered why these tools matter and how they compare in a previous post. This one is the follow-up: what to change, where to find it, and what each setting actually does.
Signal
Signal’s encryption is solid by default. The protocol has been formally verified by cryptographers at Oxford, McMaster, and QUT. You don’t need to touch anything for message content to be protected. What you do need to configure is everything around the encryption.
Disappearing messages
Settings > Privacy > Default timer for new chats
Set this to something reasonable — 1 week is a good starting point, 24 hours if you’re cautious. This applies to all new conversations going forward. Existing threads keep their current setting until you change them individually.
Why it matters: encrypted messages are safe in transit. They’re not safe on a phone that gets seized, stolen, or unlocked by a curious partner. Disappearing messages limit the window. The messages still exist in both clients until the timer fires — this isn’t a remote-wipe feature — but it means a device compromise six months from now doesn’t expose six months of conversation.
Registration lock
Settings > Account > Registration Lock > On
This requires your Signal PIN to re-register your phone number on a new device. Without it, someone who gets control of your phone number (SIM swap, carrier social engineering, law enforcement request) can register Signal on their device and start receiving your messages.
The PIN is set during Signal’s onboarding. If you skipped it or set something weak, go to Settings > Account > Signal PIN > Change and pick something strong. This isn’t a screen lock — it’s an identity verification that protects your account from being hijacked via your carrier.
Screen security
Settings > Privacy > Screen Security > On (Android) Settings > Privacy > Screen Lock > On (iOS)
On Android, this prevents Signal from appearing in the app switcher and blocks screenshots inside the app. On iOS, it requires Face ID or Touch ID to open Signal after the timeout you set.
The Android version is more useful from a security standpoint — it prevents a grabbed phone from showing message previews in the recent apps view. The iOS version is more about preventing casual access.
Relay calls
Settings > Privacy > Advanced > Always Relay Calls > On
Voice calls in Signal are end-to-end encrypted, but by default they establish a direct peer-to-peer connection. That means the person you’re calling can see your IP address — and your IP reveals your approximate location and ISP.
Enabling relay routes calls through Signal’s servers. The person on the other end sees Signal’s IP, not yours. Call quality drops slightly. For most people that’s a worthwhile trade.
Notification content
Settings > Notifications > Show > No name or message
By default, Signal shows the sender’s name and a message preview in your phone’s notification shade. Anyone who glances at your lock screen sees who’s messaging you and what they said. Set this to show no name or message — you’ll see “New message” and nothing else.
Link previews
Settings > Chats > Generate Link Previews > Off
When you paste a URL into Signal, it fetches a preview (title, image, description) from that URL. That fetch request goes to the destination server, which logs your IP address. For most links this is harmless. But if you’re sharing a link you don’t want associated with your IP — a whistleblower document, a sensitive report — the preview generation defeats the purpose.
Typing indicators
Settings > Privacy > Typing Indicators > Off
Minor, but it tells your contacts when you’re actively composing a message. In most contexts this is just a social feature. In sensitive contexts, it reveals that you’re online and engaged in a specific conversation at a specific time.
ProtonMail
Proton’s zero-access encryption means emails at rest on their servers are encrypted with keys derived from your password — which Proton never sees. That’s the baseline. Here’s what you should configure on top of it.
Two-factor authentication
Settings > Security > Two-factor authentication > Enable
Use a hardware key (YubiKey) or TOTP app (not SMS). Proton supports both TOTP and U2F/FIDO2 hardware keys. If you have a YubiKey — one ships with our Privacy Starter Kit — register it here. Hardware keys are phishing-resistant in a way that TOTP codes aren’t, because the key validates the domain before responding.
Session management
Settings > Security > Sessions
Check this periodically. It shows every device and location with an active Proton session. If you see something you don’t recognize, revoke it and change your password. This is the first place to look if you suspect unauthorized access.
Remote image loading
Settings > Privacy and data collection > Auto show remote images > Off
Email tracking pixels work by embedding a tiny remote image in the message. When your client loads it, the sender’s server logs your IP address, the time you opened the email, and often your device type. Turning off remote image loading breaks this tracking. You can still load images manually on emails you trust.
Email display name
Settings > Identity > Display name
If you created your Proton account with your real name, consider whether you need it displayed on every email you send. You can change the display name per address. For addresses you use for sign-ups or semi-anonymous purposes, set a neutral display name or leave it blank.
PGP settings
Settings > Encryption and keys
If you correspond with people who use PGP, you can attach your public key to outgoing messages and set a default encryption preference. For most users this is optional — Proton-to-Proton messages are already encrypted. But if you’re emailing someone on Gmail or Outlook and want end-to-end encryption, PGP is the only way.
Proton makes this easier than standalone PGP ever was. Import contacts’ public keys, and Proton will automatically encrypt outgoing messages to those contacts.
Address disabling
Settings > Identity > Addresses
If you have multiple Proton addresses (available on paid plans), you can disable addresses you’re not using. A disabled address can’t receive email, which means it can’t be used as a vector for phishing or spam. Re-enable when needed.
Anti-phishing
Settings > Security > Anti-phishing > On
This displays a custom phrase in the Proton web interface that only you set. A phishing page mimicking the Proton login won’t show your phrase. It’s a simple, effective check against credential harvesting — as long as you actually look for it every time you log in.
Brave
Brave blocks trackers and ads by default, which puts it ahead of Chrome, Edge, and Safari before you touch a single setting. But the defaults still leave room to tighten.
Default search engine
Settings > Search engine > Default search engine > DuckDuckGo (or Brave Search)
In some regions Brave still defaults to Google. Check this and switch. DuckDuckGo doesn’t profile you. Brave Search is building an independent index and doesn’t track queries. Google does both and ties it to your advertising profile.
Shields configuration
Click the Brave lion icon in the address bar on any page:
- Trackers & ads blocking > Aggressive — blocks more trackers at the cost of occasional site breakage
- Upgrade connections to HTTPS > Strict — refuses insecure connections entirely
- Block fingerprinting > Strict — randomizes your browser fingerprint on every session
- Block cookies > Only block cross-site cookies — keeps functional cookies while blocking tracking ones
You can set these globally via Settings > Shields and override per-site when something breaks.
Tor windows
Menu > New Private Window with Tor
Brave has built-in Tor support. It’s not a full Tor Browser replacement — Brave’s Tor integration doesn’t include all of Tor Browser’s fingerprinting protections — but it’s useful for quick lookups where you don’t want your IP logged. For serious anonymity, use Tails or the Tor Browser directly.
WebRTC policy
Settings > Privacy and security > WebRTC IP handling policy > Disable non-proxied UDP
WebRTC can leak your real IP address even through a VPN. This setting prevents that by routing WebRTC traffic through your proxy or VPN. Video calls on some sites may not work — if they break, you’ll know why.
Clear data on exit
Settings > Privacy and security > Clear browsing data > On close
Set this to clear cookies, cached images, and site data when you close Brave. This prevents tracking across browsing sessions. You’ll need to re-login to sites each time, but that’s the point.
Extension audit
Keep extensions to a minimum. Every extension has access to some subset of your browsing data. Audit what you have installed (brave://extensions) and remove anything you don’t actively use. The more extensions you run, the more unique your browser fingerprint becomes — even with fingerprint blocking enabled.
GrapheneOS
If you’re running a de-googled phone with GrapheneOS, you already have a hardened kernel, verified boot, and no Google Play Services telemetry. The OS-level protections are strong out of the box. What most people don’t configure are the per-app controls.
Network permission
Settings > Apps > [App] > Permissions > Network > Off
GrapheneOS lets you revoke network access per app. This is powerful. An offline note-taking app doesn’t need internet access. A calculator doesn’t need to phone home. Go through your installed apps and disable network for anything that doesn’t need it.
Apps that had network access revoked will still function locally. They just can’t send data anywhere. If something breaks, you’ll know exactly which permission to re-enable.
Sensor permissions
Settings > Apps > [App] > Permissions > Sensors > Off
GrapheneOS exposes sensor access (accelerometer, gyroscope, barometer) as a revocable permission. Most apps don’t need sensor data. The ones that request it without obvious reason are typically using it for fingerprinting or motion-based analytics.
Storage scopes
Settings > Apps > [App] > Permissions > Storage > Scoped
Instead of giving an app access to your entire file system, scoped storage limits it to a sandboxed directory. The app can only see files it created or files you explicitly share with it through the system file picker. This prevents apps from scanning your entire device for photos, documents, or other files.
Contact scopes
Settings > Apps > [App] > Permissions > Contacts
Same concept as storage scopes. An app that asks for contacts access gets your full address book by default — every name, number, and email. With GrapheneOS, you can grant contacts access but limit it to a subset of contacts, or provide an empty contacts list. The app thinks it has access. It just has access to nothing.
Exploit protection
Settings > Security > Exploit protection
GrapheneOS includes hardened memory allocation (hardened_malloc), Control Flow Integrity, and other exploit mitigations that run automatically. You don’t need to configure these — they’re on by default. But it’s worth knowing they exist, because they’re a significant part of why GrapheneOS is the strongest Android-based OS from a security standpoint.
Auto-reboot
Settings > Security > Auto reboot > 18 hours (or less)
GrapheneOS can automatically reboot your device after a set idle period. After reboot, the device returns to a BFU (Before First Unlock) state where all data is encrypted at rest and inaccessible without your PIN. This protects against physical extraction — if your phone is seized while locked but after first unlock, forensic tools can access data in memory. After a reboot, they can’t.
18 hours is a reasonable default. If you’re in a higher-risk situation, set it shorter.
Tails OS
Tails is a portable operating system designed to leave no trace on the computer it’s used on. It boots from a USB drive, routes all traffic through Tor, and wipes everything from memory on shutdown. If your threat model includes physical forensics or network surveillance, Tails is the strongest general-purpose tool available.
Persistent storage
Applications > Persistent Storage
By default, Tails is fully amnesic — nothing survives a reboot. Persistent storage lets you save specific data (files, bookmarks, network settings, PGP keys) to an encrypted partition on your Tails USB. This is opt-in and encrypted with your passphrase.
Enable persistence for what you need and nothing else. The more you persist, the more data exists on the USB. If the USB is seized, the encrypted partition is visible (though not readable without your passphrase). Strong passphrase is non-negotiable here.
Tor bridges
Tor Connection > Configure > Use bridges
In some networks and countries, Tor traffic is blocked or flagged. Bridges are unlisted Tor entry nodes that make your connection look like regular HTTPS traffic. Tails includes built-in bridge support using obfs4 (obfuscated transport).
If you’re on a network that blocks Tor — corporate networks, university networks, censored countries — enable bridges. If your ISP or government monitors for Tor usage (even if they can’t break the encryption), bridges hide the fact that you’re using Tor at all.
MAC address anonymization
Tails > Settings > Network > MAC Address Anonymization > On
This is on by default, but verify it. Your MAC address is a hardware identifier for your network card. Without anonymization, every Wi-Fi network you connect to can correlate your device across sessions. With it on, Tails generates a random MAC address each session.
Unsafe browser
Tails includes an “Unsafe Browser” that connects directly to the internet without Tor. Its only intended use is logging into captive portals (hotel Wi-Fi, airport Wi-Fi) that require a browser before granting network access. Never use it for anything else. Once you’re through the captive portal, use the regular Tor Browser.
Encrypted clipboard
When you copy text in Tails, the clipboard is not persisted and is wiped on shutdown. But while the session is running, anything you copy is in memory. Be mindful of what you copy — passwords, addresses, keys. If possible, type sensitive data directly rather than copying from a document.
Shutdown behavior
When you shut down Tails (or pull the USB drive), it overwrites RAM to prevent cold boot attacks — a technique where residual data in memory can be read by physically extracting the RAM chips shortly after power-off. This happens automatically. Don’t interrupt the shutdown process. Let it complete.
The tools in this stack are already ahead of anything mainstream. But a tool configured with its defaults is a tool configured for the average user — and the average user prioritizes convenience over security. Every setting on this list shifts that balance.
If you want these tools running on hardware that isn’t working against you, that’s what we build. A de-googled phone running GrapheneOS with everything in this guide pre-configured. A Privacy Starter Kit with a YubiKey for your Proton and Signal accounts, a Faraday sleeve, and a TailsOS USB ready to boot. The software is free. The hardware and setup time is what we sell.