Tor at the Heart: Security in-a-Box

This is one of a series of periodic blog posts where we highlight other organizations and projects that rely on Tor, build on Tor, or are accomplishing their missions better because Tor exists. Please support the Tor Project! We're at the heart of Internet freedom.
Donate today!

Security in-a-Box

More than ten years ago, Tactical Tech and Front Line Defenders started providing digital security trainings for human rights defenders at risk around the world. Soon thereafter, they created Security in-a-Box to supplement those trainings and to support self-learning and peer-education among those defenders.

Security in-a-Box offers general advice and practical walkthroughs designed to help its users secure their digital information and communication by choosing the right software and integrating it into their daily lives.

Hands-on guides

Security in-a-Box offers a number of Tool Guides that explain step-by-step how to download, install, and use digital security tools on Linux, Windows, Mac OS X, and Android. Some of these guides that were recently updated in 11 languages include:

  • Tor Browser for anonymity and censorship circumvention (on Windows & Linux)
  • Signal for encrypted messaging and Voice-over-IP calls on Android
  • VeraCrypt for file encryption (on Windows & Linux)
  • Thunderbird and OpenPGP for email encryption (on Windows & Linux)
  • KeePassX for secure password management (on Windows & Linux)
  • Firefox with add-ons for more secure web browsing (on Windows & Linux)
  • Jitsi and OTR for encrypted instant messaging (on Windows & Linux)

Other Tool Guides cover setting up a Riseup email account, securing the Windows operating system, and protecting data when using social networking platforms (like Facebook and Twitter).

Security in-a-Box also includes a few community-specific toolkits that are tailored for LGBTI communities in The Middle-East and North Africa and Sub-Saharan Africa, for Environmental rights defenders and for Women human rights defenders.

Tips and Tactics

As digital security is a process that extends well beyond the adoption of specific tools, Security in-a-Box also offers Tactics Guides that propose new ways of thinking about security and recommend practices that might strengthen it. Some of these include:


Over the years, a community of digital security trainers, editors, translators, and privacy advocates has sprung up around Security in-a-Box. Many digital security trainers from Africa, Latin America, Central and Southeast Asia, Europe and North America rely on Security in-a-Box for their trainings and contribute to its development.

Thanks to the project’s community translators, Security in-a-Box is published in 17 different languages. Recently updated translations include: Arabic, Spanish, Farsi, French, Indonesian, Portuguese, Russian, Thai, Turkish, Vietnamese and Chinese. As a result, Security in-a-Box reaches well over a million people each year with advice on digital security, online privacy and censorship circumvention.

None of this would have been possible without the work of the software developers who create these tools in the first place, and to whom we are extremely grateful. Donate to the Tor Project today!

Written by Maria Xynou (Tactical Tech) and Wojtek Bogusz (Front Line Defenders)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Unfortunately, some of that advice has not been updated for a long time, to the point of being dangerous to use. Including one of the potentially most useful :

"Anonymous Blogging with WordPress & Tor – ARCHIVED
This guide was originally written in 2005 and has not been updated since 2009. Please DO NOT use it for practical purposes."

:-) OK !

Super :)))

Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers. Still now everyone knows that what we long feared is true: FBI agents do not need to seek any warrants or to ever tell any judge if they want to target anyone who they believe is "engaged in the development of communications security practices":
Undercover FBI Agents Swarm the Internet Seeking Contact With Terrorists
The FBI’s online activities are so pervasive that the bureau sometimes finds itself investigating its own people.
Cora Currier
31 Jan 2017

> According to the guide, an online counterterrorism investigation can target websites or online networks that the FBI believes terrorists are using “to encourage and recruit members” or to spread propaganda. Such probes may extend to the administrators or creators of those forums, as well as people engaged in “the development of communications security practices” or “acting as ‘virtual couriers’ for terrorist organizations by passing online messages among members or leadership.”

Individual FBI agents are given very wide latitude in how to interpret these manuals, so some of them probably consider that anyone operating a Tor node is "acting as a virtual courier".

> Bruce Schneier and Tor Project employees may not be surprised by one revelation from the latest batch of leaks of secret FBI papers.
mismatch : it is coming from an ancient law (uk usage) : 'legitimate suspicion' still applied since several centuries ; nothing to do with terrorism or FBI or internet, (it is only used against genuine people usually so the "trump ban" is not involved.).
In fact this law is became a standard in the rogue state and where mafioso / military force became the "legitimate government" _ nothing to do with usa (e.u & arab & east countries are a better example) ...

At my point of view ; the ISP provider is at the heart of Internet freedom.
when will we have a free/gratis access at internet ?
That's the point !

We don't need free access, we need reliable access!

no, we need free access (gratis) _ fiber is coming & a digital revolution could happen with a real free (without bug/backdoor) hardware _ that's the second logical step ...

Not for another 4 years at the very least, in the U.S.

do you know some project about that which have been stopped or should start according the concerned state (u.s.a) ?

Jitsi is the most bugged XMPP client in existence. is better

pidgin is recommended but who has 100 correspondents & could say : it is safe & no one know whom and why & where i use it ?
* i tried it several time for communicating with few 'unknown' friends but i was not a target.

Pidgin is super scary, at least to me.

That's why I use Ricochet and Tor Messenger, and I avoid anything with libpurple in it.

"Other Tool Guides cover setting up a Riseup email account,"
Not a good idea. Riseup may have been compromised.
Even if users use pgp, admins of a email server can know, who is talking to who, and all contacts in address book. What time user online.

From article:
""Due to Thanksgiving and other deadlines, our lawyers were not available to advise us on what we can and cannot say," the collective member told me. "So in the interest of adopting a precautionary principle, we couldn’t say anything. Now that we have talked to [counsel], we can clearly say that since our beginning, and as of this writing, riseup has not received a NSL, a FISA order/directive, or any other national security order/directive, foreign or domestic.""

"And yet, when I asked if riseup had received any request for user data since August 16, the collective did not comment. Clearly, something happened, but riseup isn’t able to talk about it publicly."

Hope not compromised.

More on riseup email maybe compromised:

need more work around metadata , add Ricochet

> There is an excellent freeware anti-virus program for Windows called Avast, which is easy to use, regularly updated and well-respected by anti-virus experts. It requires that you register once every 14 months, but registration, updates and the program itself are all free-of-charge.

Recommending Avast ... :/

You going to disclose your affiliation with the Avast organization?

What about Avast silently uploading information from your computer to sell and make money from your "free" SW (like some others)?

Don't mention Avast's spying extension they were caught installing in 2014 (

- why have i "query OCSP responder servers checked on" on advanced tab ?
- is it recommended or can i check off ?
Calomel says that it is better unchecked ...

- i love ricochet but it is still in version 1.1.0 (1.1.2) does not work oops !) not yet updated ?

Post new comment

  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <em> <strong> <cite> <code> <ul> <ol> <li> <b> <i> <strike> <p> <br>

More information about formatting options

Syndicate content Syndicate content