Linux Mint provides a user-friendly Debian-based distribution, but default settings prioritize convenience over privacy. This guide covers essential hardening steps for developers and power users who want stronger privacy without sacrificing usability.
Why Linux Mint for Privacy
Linux Mint derives from Ubuntu’s repositories, meaning it receives timely security updates. The Cinnamon desktop environment remains lightweight, and the absence of mandatory telemetry (unlike Windows or macOS) makes it a solid privacy foundation. However, default configurations still leave gaps that require manual hardening.
First Steps: System Updates and Repository Configuration
Before applying privacy changes, ensure your system runs current packages:
sudo apt update && sudo apt upgrade -y
Review software sources to avoid third-party repositories that may bundle unwanted software. Open Software Sources from the menu and verify only official Mint and Ubuntu repositories are enabled. Disable any proposed or partner repositories unless you specifically need them.
Firewall Configuration with UFW
Linux Mint includes UFW (Uncomplicated Firewall) but does not enable it by default. Activate it with sensible defaults:
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable
sudo ufw status verbose
For developers running local servers, create rules allowing specific ports:
# Allow local development server on port 3000
sudo ufw allow 3000/tcp
# Allow SSH only from your IP (replace x.x.x.x)
sudo ufw allow from x.x.x.x to any port 22 proto tcp
UFW logs traffic to /var/log/ufw.log. Monitor this file during troubleshooting:
sudo tail -f /var/log/ufw.log
Disk Encryption with LUKS
Full disk encryption protects data if your machine is lost or stolen. During installation, Linux Mint offers LUKS encryption—select it if performing a fresh install. For existing installations, encrypting home directories provides a practical alternative:
# Install ecryptfs utilities
sudo apt install ecryptfs-utils
# Encrypt your home directory (requires logout)
sudo ecryptfs-migrate-home -u yourusername
Verify encryption mounted successfully after logging back in:
mount | grep ecryptfs
ecryptfs-verify
Note that home directory encryption requires your login password to decrypt files. Losing this password means data becomes irrecoverable.
Firefox Privacy Hardening
Firefox ships with telemetry enabled. Disable it through about:config and preferences:
# Open Firefox preferences and set:
# privacy.trackingprotection.enabled = true
# privacy.trackingprotection.pbmode.enabled = true
# browser.newtabpage.activity-stream.feeds.telemetry = false
# toolkit.telemetry.enabled = false
Create a user.js file in your Firefox profile directory (~/.mozilla/firefox/your-profile/) to persist these settings:
// ~/.mozilla/firefox/your-profile/user.js
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.pbmode.enabled", true);
user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
user_pref("toolkit.telemetry.enabled", false);
user_pref("network.cookie.cookieBehavior", 1); // Block third-party cookies
user_pref("privacy.resistFingerprinting", true);
user_pref("webgl.disabled", true);
The privacy.resistFingerprinting setting normalizes browser characteristics to prevent fingerprinting. Some websites may display incorrectly—if this occurs, whitelist specific sites through Firefox’s about:config.
Install uBlock Origin for ad and tracker blocking:
# Install from Firefox Add-ons or use:
xdg-open "https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/"
AppArmor for Application Sandboxing
AppArmor restricts applications to specified resources. Linux Mint includes AppArmor profiles but loads them in complain mode (logging violations without blocking). Enforce stricter profiles for sensitive applications:
# Check AppArmor status
sudo apparmor_status
# Enable enforce mode for Firefox
sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
# For other applications
sudo aa-enforce /etc/apparmor.d/*
Create custom profiles for applications lacking defaults. Profile definitions live in /etc/apparmor.d/:
# Example: ~/.local/share/apparmor/gentoo
abi <abi/3.0>,
#include <abstractions/base>
#include <abstractions/fonts>
/home/username/Downloads/** r,
/home/username/.config/application rw,
Load custom profiles with apparmor_parser:
sudo apparmor_parser -r ~/.local/share/apparmor/gentoo
Network Privacy: DNS and SSH Hardening
Replace your ISP’s DNS with privacy-respecting alternatives:
# Edit /etc/systemd/resolved.conf
sudo nano /etc/systemd/resolved.conf
# Add:
[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverHTTPS=yes
DNSSEC=yes
Restart the resolver:
sudo systemctl restart systemd-resolved
For SSH connections, disable password authentication and use key-based auth:
# Edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
# Set:
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
# Restart SSH
sudo systemctl restart sshd
Generate ED25519 keys for strong, fast authentication:
ssh-keygen -t ed25519 -C "your@email.com"
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server
Package Management Security
Verify package integrity using apt’s signature verification:
# List trusted keys
apt-key list
# Verify a specific package
dpkg-verify
For additional verification, install debsums and audit installed packages:
sudo apt install debsums
sudo debsums -ca
This detects any modified system files—a useful check after installing software from untrusted sources.
Summary
These steps create a privacy-respecting Linux Mint installation without extreme measures. Firewall rules block unauthorized access, disk encryption protects data at rest, Firefox hardening reduces tracking, and AppArmor provides application sandboxing. Combine these with secure DNS and SSH practices, and your system achieves reasonable privacy for most use cases.
Review these settings periodically—software updates may reset preferences or introduce new telemetry features. Automate security checks with cron jobs or systemd timers for continuous hardening.
Related Reading
Built by theluckystrike — More at zovo.one