Overview
I hardened a Linux workstation using defense-in-depth, on the principle that a single compromised endpoint shouldn't hand an attacker everything. A typical single-profile machine has no internal boundaries — one bad browser session or stolen credential reaches every file and every account. I built several independent layers so that when one fails, the others are still standing.
The Layers
User compartmentalization
Separate profiles for separate contexts — Admin (the only profile with sudo), Work, Personal, and an Experimental profile for untrusted software — each with its own home directory, credentials, and browser sessions. A compromise in one doesn't cross into the others.
Application sandboxing (Firejail)
Browsers and other high-risk apps run with restricted filesystem access. If a browser is fully compromised, the malware is boxed into the sandbox — no reach into documents, other apps, or the rest of the system.
Browser hardening (arkenfox)
A hardened Firefox profile: WebRTC disabled to stop IP leaks, first-party isolation and fingerprinting resistance against cross-site tracking, DNS-over-HTTPS, HTTPS-only, telemetry off, and a deliberately minimal extension set (uBlock Origin plus container tabs).
Network & storage
ProtonVPN with a kill switch so a dropped tunnel doesn't leak traffic, a default-deny UFW firewall, and LUKS full-disk encryption with encrypted swap carried over from my OS migration work.
Stack
Platform
Arch Linux, hardened configuration
Firejail sandboxing with custom profiles
Firefox + arkenfox user.js
ProtonVPN (kill switch) · UFW · LUKS full-disk encryption
What I Took From It
The real lesson was about restraint. My first pass at arkenfox hardening was aggressive enough that it quietly broke everyday workflows — and security that gets in the way is security people turn off. I ended up writing custom overrides that kept the protection while letting the work happen, which is the actual job: making the secure path the usable one. These are software versions of mobile isolation concepts (Android's per-app sandboxes and profiles); a laptop can't match hardware-backed verified boot, but the compartmentalization gets you most of the way.
Evidence & availability
Built and run on my own hardware, so there's nothing client-confidential here — which means I can show the working parts. Configuration, scripts, and a full walkthrough are available on request.