Carrying a security-hardened OS in your pocket means you can plug into almost any PC and work with assurance: full-data encryption, network anonymity, no local traces and all at zero software cost. Below, you’ll find an exact blueprint of what we’ve done and why it matters.

1. Hardware & Partitioning

Drive: 128 GB USB 3.0 stick.

Layout:
8 GB NTFS decoy partition (prevents Windows format prompts, holds portable utilities)

512 MB FAT32 EFI boot partition

512 MB EXT4 /boot

Remaining space → LUKS-encrypted EXT4 root

2. OS Installation & Encryption

OS: Linux Mint Cinnamon, installed to the root encrypted partition just as you would on a hard drive.

Encryption: LUKS protects all data at rest. Only someone with your passphrase can unlock the OS.

3. Volatile Logging

Send logs to RAM: Configured Storage=volatile in /etc/systemd/journald.conf so all logs are sent to the ram and disappear on reboot.

4. ZRAM Instead of Disk Swap

Why ZRAM? Compressed in-RAM swap improves performance and spares your USB from wear.

Setup: sudo apt install zram-config then adjust PERCENT=50 (or as per your preferences) in /etc/default/zramswap.

5. ProtonVPN Auto-Connect + Advanced Kill-Switch

• Client: Official ProtonVPN Linux app. (free tier supported)

Setup:
Add ProtonVPN client to startup applications.
Auto-connect at startup - Connects to the VPN upon launch.
Advanced Kill-Switch - blocks all traffic if VPN drops(persists through reboots).

6. MAC Address Spoofing on Every Boot

Tool: macchanger
with a custom systemd unit that iterates over /sys/class/net/ and randomizes every network interface(except loopback) on startup.

7. Firewall Hardening (UFW)

Block everything by default(sudo ufw default deny incoming && sudo ufw default deny outgoing).

Allow only VPN tunnel traffic (sudo ufw allow out on tun0) and DNS (sudo ufw allow out 53).

Effect: No accidental leaks! only encrypted VPN traffic flows.

8. Browsers & Tools

• LibreWolf as primary browser with zero telemetry, fingerprinting protections, no DRM.
• Brave as fallback browser for incompatible sites (Chromium-based, still privacy-respecting).
• Extensions: uBlock Origin.

Kali Linux tools (e.g., Nmap, Metasploit) installable via Debian repos or scripts like Katoolin3 or kali-on-linux or even my very own Project Overhaul.

9. Performance & Resource Management

Low footprint: Mint Cinnamon is lighter than many Desktop Environments, ZRAM and minimal apps keep RAM use low.

Minimize Autostart Apps: Disable unnecessary startup services (e.g., System Reports, welcome screens) via Startup Applications Manager to speed boot and reduce load on the drive.

10. Plug-and-Play Portability

• Boots reliably on UEFI/BIOS across Windows and Linux machines.
• Internal drives untouched (auto-mount disabled) and logs are ephemeral no data trace.

Encrypted root, volatile logs, VPN, MAC spoofing, firewall, everything is self-contained on the USB.

Optional: Tor Browser

• You can further install Tor Browser on the encrypted root for maximum anonymity but I balance this with performance and compatibility by defaulting to LibreWolf.