Linux is not private by default. The choice to run Linux is a meaningful step away from Windows telemetry and macOS data collection, but without deliberate hardening, your Linux system still leaks information — through systemd-resolved DNS, NetworkManager’s default behavior, Ubuntu’s opt-out telemetry, and application-level network access. This guide walks through the practical steps to lock down a Linux desktop for privacy.
Choosing a Privacy-Respecting Distribution
Your distribution choice sets the baseline:
Fedora — The strongest default security posture of mainstream distributions. Ships with SELinux enabled, Wayland by default, and minimal telemetry. Package updates are current. Ideal for users who want a polished desktop with serious security defaults.
Debian — Conservative, stable, and trustworthy. No telemetry. Ships with older packages but excellent security track record. A strong choice for servers and stability-focused users. AppArmor is available and easily enabled.
Arch Linux — Rolling release, minimal default installation. You build the system yourself, which means you control exactly what is installed. No telemetry. Higher maintenance burden but maximum transparency.
Avoid distributing any telemetry-heavy Ubuntu derivatives (Pop!_OS has removed Ubuntu telemetry; Linux Mint has minimal telemetry). If you use Ubuntu directly, address the telemetry packages below.
Disabling Telemetry
Ubuntu / ubuntu-report
Ubuntu ships ubuntu-report which collects hardware and usage data. Opt out:
ubuntu-report send noVerify the opt-out was recorded:
ubuntu-report showRemove the package entirely if you prefer:
sudo apt remove ubuntu-report apport whoopsieapport is the crash reporting daemon; whoopsie submits crash reports to Canonical. Neither is necessary for a functioning system.
systemd-resolved DNS
By default, systemd-resolved may fall back to unencrypted DNS or forward queries to your network’s DHCP-provided resolver. Configure it explicitly:
# /etc/systemd/resolved.conf
[Resolve]
DNS=127.0.0.1
FallbackDNS=
DNSStubListener=noThis points resolved to a local encrypted resolver (like DNSCrypt-proxy on 127.0.0.1) and disables the DNS stub listener on port 5353 to prevent conflicts. Restart with:
sudo systemctl restart systemd-resolvedMAC Address Randomization
Your device’s MAC address is a hardware identifier visible to Wi-Fi access points and local network observers. Without randomization, your device can be tracked across locations as the same hardware identifier appears at different networks.
NetworkManager (GNOME, most distros)
Create a configuration file:
sudo nano /etc/NetworkManager/conf.d/mac-randomization.confAdd:
[device]
wifi.scan-rand-mac-address=yes
[connection]
wifi.cloned-mac-address=random
ethernet.cloned-mac-address=randomFor per-connection randomization (different random MAC each time you connect to a network), use random. For a stable-but-pseudonymous MAC for a specific network (useful if the network uses MAC-based access control), use stable.
Restart NetworkManager:
sudo systemctl restart NetworkManagerVerify:
ip link show wlan0The MAC address shown should be different from your hardware MAC (check ethtool -P wlan0 for the permanent address).
AppArmor and SELinux Basics
Mandatory access control (MAC) systems restrict what applications can do, even if they are compromised.
AppArmor (Debian, Ubuntu)
AppArmor uses profiles to confine individual applications. Check status:
sudo aa-statusEnable enforcement for applications with available profiles:
sudo apt install apparmor-profiles apparmor-profiles-extra
sudo aa-enforce /etc/apparmor.d/*aa-enforce switches profiles from complain mode (logs violations) to enforce mode (blocks violations). Watch for broken applications with:
sudo journalctl -xe | grep apparmorIf an application breaks under AppArmor, switch its profile to complain mode while you troubleshoot:
sudo aa-complain /etc/apparmor.d/usr.bin.firefoxSELinux (Fedora, Red Hat)
Fedora ships with SELinux enforcing. Check:
getenforceShould return Enforcing. If Permissive, enable enforcement:
sudo setenforce 1
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/configSELinux denials appear in /var/log/audit/audit.log. Use audit2why to understand them:
sudo ausearch -m avc -ts recent | audit2whyFirewall Setup with ufw
Uncomplicated Firewall (ufw) provides a straightforward interface to iptables/nftables.
sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enableCheck status:
sudo ufw status verboseAllow specific services as needed:
sudo ufw allow ssh # Port 22
sudo ufw allow 443/tcp # HTTPSFor desktop users who do not run any services, the default deny incoming is sufficient and correct — no remote connections can be initiated to your machine.
Full Disk Encryption with LUKS
LUKS (Linux Unified Key Setup) encrypts the entire disk partition. This protects your data if the device is stolen or seized — without the passphrase, the disk content is unreadable.
Enable at installation: Every major Linux installer (Ubuntu, Fedora, Debian) offers LUKS encryption during setup. It is a checkbox during partitioning. Enable it during installation — retrofitting LUKS to an existing unencrypted system requires wiping the partition.
LUKS configuration during install:
- Choose a strong passphrase (20+ characters, random preferred — use a password manager)
- The passphrase encrypts the LUKS master key; the master key encrypts the disk
Adding a key to an existing LUKS volume:
sudo cryptsetup luksAddKey /dev/sda3This adds a second passphrase slot — useful for adding a recovery key stored in a secure location.
Verify LUKS is active:
sudo cryptsetup status /dev/mapper/dm-0Firejail Application Sandboxing
Firejail creates a sandboxed environment for applications using Linux namespaces and seccomp-bpf, restricting what files, network resources, and system calls the application can access.
Install:
sudo apt install firejailRun an application sandboxed:
firejail firefox
firejail --private vlc--private creates a temporary home directory — the application cannot access your real home folder.
Firejail ships with profiles for common applications. Enable integration with desktop launchers:
sudo firecfgThis rewrites desktop file entries so applications automatically launch under Firejail. Verify:
firejail --listShows currently running sandboxed processes.
Audit Logging
The Linux audit subsystem records security-relevant system events. Enable it:
sudo apt install auditd
sudo systemctl enable auditd --nowView recent audit events:
sudo ausearch -ts recentAdd rules to monitor specific paths:
sudo auditctl -w /etc/passwd -p wa -k passwd_changesThis logs all write and attribute-change events to /etc/passwd with the key passwd_changes. Review with:
sudo ausearch -k passwd_changesSummary Checklist
| Action | Tool | Priority |
|---|---|---|
| Remove telemetry packages | ubuntu-report, apport, whoopsie | High |
| Encrypt DNS | DNSCrypt-proxy + systemd-resolved config | High |
| Randomize MAC addresses | NetworkManager config | High |
| Enable full disk encryption | LUKS at install | Critical |
| Enable firewall | ufw | High |
| Enable MAC system | AppArmor / SELinux | Medium |
| Sandbox applications | Firejail | Medium |
| Enable audit logging | auditd | Low |
Linux privacy hardening is cumulative — each step reduces a specific attack surface. No single measure is sufficient, but the combination above makes your system meaningfully more resistant to surveillance, tracking, and unauthorized access than a default installation.