I bought ProtonVPN for Fedora Atomic Silverblue, the Gnome desktop, because they had a sale and the price was unbeatable at €2.49/month but now I regret it, if you can afford it pay a little more and go with Mullvad or WindScribe, they both work with Fedora Atomic, I was previously with WindScribe for a year and I had zero problems with them, I did not renew because I was on a free plan and at the time WindScribe was not running any sale and ProtonVPN was.
ProtonVPN CLI Commmand Line Linux
I am going to keep ProtonVPN because I made it work in the end but be aware that if you go down this route with Fedora Atomic as your main operating sytem you will have to spend two days of reading manuals, forums and trying and testing, ProtonVPN, a company worth millions treats Linux users like garbage while Mullvad a company with a few thousand users gives the same experience to Windows and Linux users, too bad the price is double if it wasn’t for this I would not have hesitated going with them, but even ProtonVPN price has a catch, unlike Mullvad and WindScribe, ProtonVPN does not renew at the price you bought, it is set to auto renew at double the cost, the first thing to do after buying ProtonVPN on sale is to cancel your auto renewal to avoid surprises, I do think they lose money with the €2,49/month sale but they must be hopping they upscale me on their other products or that I renew at the expensive price.
Another reason why ProtonVPN is cheaper than their competitors is because unlike WindScribe or Mullvad, they run most of their locations as virtual, most of the servers Proton has are located in the United Kingdom, Singapore and Romania, all countries with cheap bandwidth and servers, you can see a list of their virtual locations in their Smart Routing page: https://protonvpn.com/support/how-smart-routing-works
ProtonVPN has a non official flatpak that some people says works fine, the catch is that it is not an official flatpak, do you really want to install security software that is not official and has no verified or known developer behind? I decided I would not do that. Shame on ProtonVPN once more for not being able to do this themselves, they don’t care about Linux users. They have a GUI for Linux users too but the killswitch works best with ProtonVPN CLI command line, and again that is a security product, if you want the best security you will need the CLI version, that means that after two days of learning how to install it, thanks to the half baked installation instructions from Proton, you will need two more days learning about the command line structure.
But enough ranting, if you already have ProtonVPN this is how you set it up in Fedora Atomic. The latest 1.0.4-1 version.
4. Learn ProtonVPN CLI commands, open terminal and type in
protonvpn --help
The main configuration you must change is setting up the killswitch, ProtonVPN CLI comes with the killswitch disabled, you set it up by typing:
protonvpn config set kill-switch standard
The setting is saved in the CLI’s configuration file. It remains “on” indefinitely until you manually change it back to “off, now you are ready to go now, but a few more notes in case you need to troubleshoot.
You should remove the local install of ProtonVPN and layer onto your system by typing in:
You will be asked to reboot after you do you can see your layered and local packages typing:
rpm-ostree status
Problems:
The most usual problem is that if you use the permanent killswitch instead of the standard you can lose your Internet access if your computer crashes or other factors like uninstalling ProtonVPN without turning off the killswitch first, hat is why I recommended to use the standard option but if for some reason you have no Internet do this:
See your network connections:
nmcli status
Remove ProtonVPN permanent killswitch with these possible options, adjust according to what you see in nmcli status (nm stands for network manager):
nmcli c delete pvpn-ipv6leak-protection nmcli c delete pvpn-killswitch nmcli c down pvpn-killswitch
Finding a VPN that runs cleanly on an immutable OS like Fedora Atomic isn’t easy. The biggest challenge is a reliable kill switch that doesn’t require changing the system’s core files — tweaking iptables or nftables yourself is possible, but it’s not beginner-friendly. Most solid Fedora Atomic solutions rely on the command line, though some providers ship GUI clients that work within the OS’s layering model.
Swedish provider with RAM-only servers and a strict no-logs policy.
Lightweight Linux GUI client that works on Fedora Atomic; fewer features but everything essential — including a working kill switch — functions reliably.
Audited, no-logs provider based in Malaysia (outside the 14-eyes, and with no mandatory data-retention laws).
While Fedora Atomic isn’t explicitly listed, hide.me provides an excellent CLI client (written in Go) that runs on Fedora Atomic and includes a trustworthy kill switch.
Offers an official .rpm package that can be layered into Fedora Atomic via rpm-ostree, giving you access to their GUI and kill switch.
Pricing and renewal notes
ProtonVPN and NordVPN run promotions from time to time but tend to renew at full price — cancel before renewal if you don’t want to be charged more.
Windscribe and hide.me offer yearly discounts that guarantee renewal at the same promotional price, making them convenient if you don’t want to hunt for deals later.
OVPN also offers yearly pricing that renews at the discounted rate.
Mullvad never discounts; their steady pricing means you won’t be surprised by a higher renewal.
Quick recommendation
If you prefer GUIs and an easy test drive: try Windscribe (free tier).
If you prefer a privacy-first, consistent price: Mullvad.
If you’re comfortable with the CLI and want maximum reliability on Fedora Atomic: ProtonVPN or hide.me.
Like other Linux distributions Fedora does not track you, it is open source and gets security updates. You should go for Fedora instead of other distributions because they have a big community and they get funding and support from Red Hat, this guarantees that the distribution is not run by a single developer and it is not going to become abandonware. Another worthy distribution is Ubuntu but I weighted towards Fedora because Red Hat is based in the USA and Canonical, Ubuntu parent company is based in the UK where free speech laws are more restrictive and surveillance is more omnipresent, for security and privacy I consider Fedora to be better.
Steps to do after installing Fedora Atomic, notice that non Atomic versions use dnf, these instructions are specific of the Fedora Atomic version which is more secure.
Change font size to Large font by going to accessibility menu in Gnome
Make sure your operating system time is synchronised or 2FA apps won’t work. In Fedora you can set up NTS (Network Time Security) a more secure NTP (Network Time Protocol) by doing this:
Edit chrony.conf using the command line with:
sudo nano /etc/chrony.conf
Inside the file use the add the following NTS servers
server time.cloudflare.com iburst nts server 0.ubuntu.pool.ntp.org iburst nts server 1.ubuntu.pool.ntp.org iburst nts
Make sure this line is uncommented in chrony.conf
ntsdumpdir /var/lib/chrony
restart chronyd with:
sudo systemctl restart chronyd
If you want to check if chronyd has been configured correctly use:
5. Install KeePassXC using the official Fedora repository
6. Install WindScribe from their official VPN site.
7. Standard Notes has a non official Flatpak their official Linux app is only for Ubuntu, for security reasons is best not to donwnload the non official FlatPak and only use Standard Notes web version, the Brave browser will give you an option to install it as app.
8. Install Shotime, the video player known as “Video Player” in Fedora official repository, make sure it is the FlatPak version not distributed by Fedora as otherwise it will not come with non free codecs needed to play some files.
9. Install Safe the secure offline password manager based on KeePassXC, it can be downloaded from Fedora official repository.
10. Other applications to install are LibreOffice to have a full featured Word Editor, Pinta as a graphics editor, Document Scanner to scan documents with HP Smart Tank 5105, Peazip to extract files and DéjàDup to back up your data.
As much as Proton tries to market itself as a foundation they are no different from a big corporation when it comes to profits and marketing. Let me give you some examples of this:
They lure paying users with steep introductory discounts available for new customers only and prices surge significantly after the first year. This “bait-and-switch” tactic leaves many users facing renewal rates 2-4x higher.
Posts in ProtonVPN’s official subreddit are not visible without moderator pre-approval and they frequently remove critical comments under vague pretexts like being off-topic or already posted, this creates an echo chamber where positive experiences dominate.
Proton pays money to influencers to promote some of their services, the pay for sign up model leads to biased endorsements.
Reference: YouTuber “The Hated One” Exposes Proton’s Shady Tactics: In his November 2025 video, he reveals Proton offered him $70 per signup to shill their services—but after rejecting the deal and requesting a CEO interview instead, Proton ghosted him completely, ignoring all follow-ups.
ProtonMail has cooperated with law enforcement in several documented cases where they hand over the recovery email address you enter when you open your account with them, Proton is fully aware that the recovery email is not encrypted and handed over when they are subpoenaed, they justify themselves by saying that the user entered it and what not but the fact is that they know about this security hole and do nothing to address it.
Swiss privacy laws are comparable to those of the European Union, you are not safer by Proton being based in Switzerland instead of Germany. As an example in 2021 ProtonMail was forced by a Swiss Court to do real time IP logging of a French climate activist occupying buildings.
And finally a politically charged argument: Proton announcing in their X account that they had donated $100,000 to the Palestinian Red Crescent right when Israel was defending itself from Islamic terrorists, as European who stands 100% behind Israel this feels like a betrayal, I want my money to be spent aiding Israeli civilians and not on Gaza under Hamas control, I won´t be supporting any company that gives money to Gaza.
To help alleviate the humanitarian disaster in Gaza, Proton has donated $100,000 to the Palestinian Red Crescent Society and other aid organizations working on the ground.
Today I sideloaded TubiTV to my Smasung smartTV, if you live in a country where TubiTV is available you don´t need to do any of this, the instructions are only for people being geoblocked by TubiTV, as a side note, this should work for many other apps like LiveOne.
I will describe my hardaware because depending on hardware things might change, I am using a Samsung smartTV with an Android TV box, brand “Strong”, based in Austria but owned by a Chinese conglomerate, they are not one of the cheapest Android set up boxes out there but you know it won´t come loaded with malware as it is a well known brand within the Android set up boxes community, and more important, it runs Android 11, which makes it harder to install unauthorized software.
You will need an Android phone too, these are the instructions to sideload TubiTV to your smart TV.
Download the app SendFilesToTV from the official Google play store to your smartphone and to your smartTV, the app must be installed in both devices.
With your phone go to the alternative Google playstore UpToDown and download any app, for example TubiTV, this will be a .apk file.
In your smartphone click on the Send Files To TV app, click the button that says “Send” browse your .apk file downloaded from UpToDown and select sending it to your set up Android box which will show up in the destination if you are in the same Wi-fi network, this only works if your smartphone and the Android set up box are both in the same network.
Go to your smart TV open the Send Files to TV app, click on Receive and you will see the .apk file, click on it and pick install, you will be prompted to change one security setting to be able to install it, the instructions are very clear, read the screen and change the setting UpToDown tells you, after this you will have UpToDown installed in your smartTV.
Open the alternative Google PlayStore you just installed in your smartTV, go to media and you will find TubiTV and thousands of other apps, now you can pick any app you want and install it without having to use any work around.
For security uninstall SendFilesToTV after leaving a review to the developer if everything has worked for you, the app is free at the very least you could leave a review right? You can use other alternative Google play stores like ApkMirror, a Chinese company but my favourite store is UpToDown for no other reason that I don´t trust the Chinese government when it comes to privacy and security.
Needless to say that you will still need a VPN to watch TubiTV, you can try WindScribe for free without payment asked and see if it works for you, they support streaming, or pick your own VPN. English speaking countries where TubiTV is known to work: United States, Canada, Australia, United Kingdom.
Posteo is a paid privacy email provider based in Germany. I signed up with them after a recent Fastmail price increase and my concern about Fastmail being an Australian company with servers in the USA.
I briefly considered Yandex, a free Russian email service with interface in English, but it does no good to me to trade NSA illegal spying for Russian Federal Security Service (FSB) illegal spying.
I came to the conclusion that all countries spy and the only way I was going to protect myself from that is by using an email service that is transparent about logs, has encrypted storage with the email provider locked out of them, with no access to the keys, and end to end encryption. What is known in the privacy industry as zero knowledge, and if the company is based out of the Five Eyes wiretapping alliance (UK,US,CA,AUS and NZ) even better.
Posteo fulfilled all the requirements I had in mind and I also liked that they do not have a Facebook page, it shows they really care about customers privacy.
How to open a Posteo account
Opening an account with Posteo took me around one minute, the company does not want to know your name, address, back up email or phone number.
You only need three things to sign up for a Posteo account:
Pick a username
Pick a password
Pay with cash, Paypal, wiring, credit card or voucher (payment methods are anonymised)
Posteo payment
I used Paypal to buy the account, I know Paypal stores all transactions for years and the NSA probably has a direct feed to them but the transaction does not show your Posteo email address, the only available record in Paypal is the date and amount of money you sent to Posteo, your inbox or username is never printed anywhere in the receipt.
Posteo Paypal payment (5 years prepaid)
Futhermore, Posteo payment system automatically assigns a code to the inbox so that usernames can never be linked by the company with a payment. Tax laws compel Posteo to keep payment information for 10 years, this includes your name if you used bank transfer o Paypal to buy the account, but it never includes what your email address is and if the company was asked for this they are unable to provide the information, there is no law forcing Posteo to keep that data.
Specific details on how your payment is anonymized is very well explained with screenshots within Posteo’s FAQ.
One of my favourite things from this company is that their help pages disclose in plain English (German&French) the security measures they take to protect customers from illegal spying by government agencies, what logs Posteo keep, how long for and what happens if they receive a subpoena, as well as some background information about Germany privacy laws.
There are no trial Posteo accounts, payment is taken from day one, but if you are not happy with the service you have the right to revoke it within 14 days and credit will be refunded.
If I had to criticise anything from the payment system is that they do not accept Bitcoins.
Posteo email basics
You can access your email via web, IMAP or POP3, attachments are a generous 50MB and the initial inbox is 2GB with a couple of aliases, all of this can be increased according to needs.
Posteo has a single basic email package that is prepaid, if you feel like you need more storage space or more email aliases you can go to account settings and move a slider bar to add extras, as you do this the screen shows you how much more this will cost you, for example, an alias currently costs €0.10 a month, if you need four email aliases that is €0.40 more a month, if you no longer need them next month, you delete it and monthly price comes down again.
The way Posteo pricing is set up you don’t have to pay for things you don’t need, you customize it to your needs, it works out cheaper than paying for an oversized email package that subsidizes heavy or business email users.
The account includes a decent online calendar, that can be optionally be shared with a public URL, address book and notes, all of which can be encrypted, in which case sharing is no longer be possible.
Posteo email calendar
Consider carefully if you need your inbox encrypted, after you enable it some functions like email searching will no longer work and if you lose your password Posteo support can reset your account but you will not be able to read your old email messages without your old password as Posteo has no way to decrypt them.
For example, because I only plan on using Posteo in the browser I activated the additional email account protection that eliminates IMAP access, and this stopped notes from autosaving so I had to reactivate it. Next to each encryption setting you will see a box that tells you what features stop working if you choose security over functionality.
Posteo email security
There are a ton of security measures, and nearly all of them can be configured, Posteo is ideal for advanced privacy email users that like to have control and spend time tinkering with their security settings. It took me a good couple of hours of reading understanding all that Posteo had to offer.
This company is one of the first email providers to implementing DANE, a DNS based authentication method that checks the digital certificate fingerprints of other email providers, this detects bogus certificates replaced by sophisticated hackers, state sponsored operatives have been known to do this trick in the past.
For DANE to work other email providers must support it too, when sending an email to somebody a small green check box in Posteo let’s you know if the server you are communicating with is DANE compliant. Tutanota supports it and Protonmail has plans to have DANE this year, but the big NSA back doored email providers, like Gmail, Yahoo and Outlook, have no DANE support.
Encrypted email provider Posteo
Another setting activates a TLS-sending guarantee, with the checkbox ticked your messages will not be delivered to any TLS insecure email server, if Posteo comes across one you get a warning and have the option of sending the message without proper encryption in transit or not sending it.
To use PGP you need to install MailVelope addon browser, after that a new button that says “Compose&Encrypt” magically appears in the webmail interface.
You can add your public encryption key to Posteo keyserver and activate “encrypt all incoming email“, this means that all messages you receive will be automatically encrypted with your own PGP key at the door, on top of the encrypted inbox.
You might want to do this if you don’t trust Posteo’s own encryption, you add an extra layer with your own keys, however if you lose your private keys you will not be able to read the messages again and every time you click on an email in your inbox you are required to to enter the decryption password in MailVelope.
I found incoming encryption too burdensome, I would only propose it to the most paranoid kind not concerned with quick email access.
Posteo PGP encryption Mailvelope
Hat tip to Posteo for automatically bouncing my public encryption key back to my inbox with a warning that it did not conform to security.
During key generation I made the mistake of adding my first name to the public encryption key and Posteo very rightly rejected it in their keyserver as the name can be used to track down your identity, I was only able to add the key to the server after changing the name field with a non descriptive text, like my email address.
Two factor authentication is possible too, Posteo works with any open standard TOTP app, like Google Authenticator, but the company recommends FreeOTP because it is open source (developed by Fedora), or if you own a Yubikey you can use it for two factor authentication, the help pages come with clear instructions and screenshots about how to set it up.
Posteo downsides
It put me off Posteo that they don’t own the .com of their email address, I had people in the past sending me messages to a .com version of my address, it is a common mistake many people do. I find it very short sighted that a company like Posteo, offering a choice of 30 different domain names for your email aliases, does not have a single neutral .com that you can pick for an email address. You can have a @posteo.af address, country code from Afghanistan, and a @posteo.jp country code from Japan, but .com is not an option.
I would have appreciated a non descriptive .com domain which URL does not resolve to Posteo homepage that can be used as an alias.
Another downside for me is that Posteo does not have a Spam folder and you can not have one. Posteo drops all spam silently and you must trust they do it correctly.
My experience with email providers so far has been that no spam filter is 100% perfect and I have no way of finding out if a message is not getting to my inbox because it was flagged as spam by mistake or because it was never sent.
You can whitelist addresses in the filter but there is no way of whitelisting something you don’t know about.
Posteo advantages
Posteo comes with Mailvelope preconfigured, after installing the addon in my browser a new encryption button appears in the webmail interface and this gives me the ability to communicate with other PGP users holding my own encryption keys instead of Posteo doing that.
The encrypted email inbox and being able to encrypt all incoming messages with my own private encryption keys is a huge perk too.
Posteo message filtering
It takes time time to encrypt messages yourself, entering passwords, selecting the right keys, etc, if you are tight on time and security is not that important for you it might be best that your email provider does all of that, but if you want to err on the cautious side and trust nobody with your encryption keys, owning your own keys is they right way to do it.
I also liked the email filtering, being able to file messages into folders as they arrive, according to subject, sender, etc.
Posteo support
Support is not suited for businesses, but I think that an individual will be ok waiting one or two days for a reply. You can contact Posteo by email during German working hours.
I sent Posteo support an email to ask a question about my settings and it took 24 hours to get a reply that solved my question.There is no ticketing system, this might unnerve some people, because you keep wondering if the email was ever received, but not having a ticketing system is advantageous for those who value privacy and a very good idea
The company barely keeping records of anything means that the information can not be lost or stolen and you can always check the “sent receipt” box if you email support, this way you will know they have received your inquiry.
Posteo vs Protonmail
I like Protonmail design and them forcing two different passwords to access the encrypted inbox. The main reason why I did not buy a Protonmail premium account is that their paid accounts cost five times more than Posteo. Protonmail has a bigger inbox but I wasn’t going to use it.
It also put me off a bit knowing that in 2015 Protonmail had paid ransom to some cybercriminals DDoS their servers, it shakes my trust on how much of a fight the company is willing to put up for what it is right when I see Protonmail selecting the easy way and pay up to avoid problems.
Posteo vs Tutanota
I was really close to buying a Tutanota premium account, they offer more aliases than Posteo, both companies are based in Germany, and cost the same, plus I like a couple of features Tutanota not found in Posteo, like being able to send links to password protected messages.
I finally went for Posteo because of their Mailvelope pre-configuration and because I wanted a company that will not go bust. Posteo has been around for more years than Tutanota and they do not offer loss making free accounts which makes it more likely that they will survive.
Posteo review conclusion
If you are comfortable managing your own PGP encryption keys, want an email service with an encrypted inbox that does not keep logs or records your identity and it comes with lots of features at a cheap price, I think that Posteo is unbeatable, far cheaper than other paid providers (€12/year).
You should also pick Posteo for an email provider with calendar, notes and aliases that will respect your privacy and if you need a mailing list provider, this is still in beta but it should be rolled out soon.
But if you rather have your email provider do to all PGP encryption for you at the back end don’t pick Posteo and if you wish to pay with Bitcoins Posteo should be out of limits for you too.
Getting fed up noticing daily brute force attacks in the server logs I decided to upper the game and implement two factor authentication (2FA) in the blog login page, this way even if a trojan horse in my PC captures the long random password nobody will be able to break in.
The most common choice for two factor authentication is Google Authenticator, or a compatible mobile app like LastPass Authenticator or Authy. The problem I had with them is that I carry my mobile phone with me everywhere and I was afraid of losing it, together with the matter of mobile apps wasting time requiring you to enter a long random number in the login page. For those reasons, I decided that a hardware token authentication was preferable and I bought a Yubikey Edge and a Yubikey Neo.
The main difference in between the Yubikey Neo and the Edge is that Neo has NFC and it can be used with a smartphone or tablet that supports NFC, usually high end models, without the need for any USB port.
Yubikey Neo and Edge
Something to remember is that Yubikeys only work with the Chrome browser, Mozilla Firefox intends to add U2F support in the future but this has not been done yet.
Fortunately there is a Firefox addon called “U2F Support Add-on” that has been reviewed by the Mozilla team to make sure that it doesn’t have security complications and it works. I also use the Yubikey with Vivaldi, a Chrome based browser and it also works, this way I can avoid a pure Chrome browser loaded with Google spyware.
Before buying the tokens I researched on Yubico’s website what online services I could use the Yubikeys with, that was my first mistake. Trusting everything a manufacturer says when they are trying to sell a product is not clever.
Yubico lists self-hosted WordPress blogs as “supported“, after buying the Yubikey I found out that the plugin for WordPress is not developed by Yubico, it has been coded by an individual and it has not been updated for over two years, it rightly comes up flagged with a security warning in the WordPress plugin directory.
Will I expose my website’s security to a plugin not updated for the last 2 years that looks like abandonware? Sure not and I think that anybody who cares about their WordPress blog wellbeing should not use a Yubikey until a company or somebody reliable officially updates and supports the necessary plugin.
The second account I wanted to use the Yubikey with is my Google Account, again a problem comes up. I have no idea why it happened but facts are facts and after setting up the Yubikey with my Google Account and using it a couple of times it suddenly stopped working.
I attempted to make it work with a Chrome based browser (Vivaldi) and Firefox, I confirmed that my Yubikey was fine by going to Yubico’s demo page. For whatever reason my Google Account doesnt like the Yubikey, although officialy Google supports Universal Two Factor authentication tokens the Yubikey will not show up in the log in page anymore.
The third account I wanted to secure with the Yubikey is my Fastmail account, another unexpected obstacle I did not count on. It was remarkably painless for me to add the Yubikey to Fastmail, but then I found out that having a Yubikey added in Fastmail does not disable single factor authentication, all it does is to give you the choice to use a Yubikey to login into your email account from a public computer without having to worry about the password being stolen.
Yubikeys with Fastmail will not stop brute force attacks of your main username, and if anybody steals your login masterpassword you will lose your account. For me the whole point of setting up 2FA is making it impossible for others to access the account without the key and the password together, and Fastmail can not do that.
Yubikey Edge and Yubikey Nano with NFC
Yet more dissapointments trying to set up my Yubikey with Evernote, Yubico lists it as supported but I find out that that for it to work you have to install the Yubico Authenticator Desktop application and configure it with Evernote. It is not complicated but it means software has to be installed into your computer and time spent which defeats some of the purposes of using a hardware token for authentication, like simplicity.
Another problem, Dashlane is listed as one of the password managers supporting Yubikey to login, but only for a price, you can only enable a Yubikey with Dashlane if you have a paid account. Perhaps Yubico should have mentioned this on their page of supported services.
Conclusion Yubikey review
I am entirely out of love with the Yubikey, a few of the problems I had were not Yubikey’s fault, like Dashlane charging you money for the privilege of securing your account with it, but other problems like the outdated plugin for WordPress I feel it is partly Yubico’s responsability. They should have some kind of agreement or a developer to make sure that the most popular services work with the Yubikey and do not look like abandoned projects.
The commendations for the Yubikey are that it is sturdy, it needs no battery and I had zero problems about drivers, but until it works for real in major websites I am not going to recommend it to any of my friends and I would not trust any of the supported services listed on Yubico’s site. If you plan on using a Yubikey on a certain service, visit that page and get the information directly from them instead of Yubico.
Promising project, too bad it can’t be used as intended anywhere meaningful.
