Recently I switched my primary email from Gmail to ProtonMail and wanted to share a few things about increasing your security with this service. As with any email service I do not check email on my host machine. Instead I opt to check it in a virtual machine environment. Dedicating a VM to just email has a higher resource cost than I am willing to do. There are lots of issues and variables you introduce when you start checking email from the same device. So I opt to use a live CD when I need to check email.
Using Live CD’s is a enhanced security measure I take because nothing is being wrote to a persistent disk. So as you click on email or even click on a link you can better protect yourself by shutting down the vm then powering it back on and your live environment is back to square one from the beginning. I have my password in a local password manager database that is encrypted on my host machine. I will pass those credentials to the VM. My VM never has access to my entire password database and only has one way access to my hosts clipboard. This minimizes threats to hijack my password manager thus the only threat I need to contend with is if my one password gets stolen.
So where to start:
The live CD I typically use is an OpenSuse Tumbleweed Live CD with Oracle Virtual Box. The live CD already has the VM based drivers I need to allow me to use native resolution and I can give access to my clipboard as needed.
The following link will download the current live CD ISO of OpenSuse Tumbleweed.
These ISO’s are great as they are constantly getting updated so I am never stuck with a live CD that gets to far out of date on security fixes and so forth. If you are interested in building your own flavor of OpenSuse I would highly suggest you check out Suse Studio.
Welcome - SUSE Studio
Everywhere? Yes, everywhere. In the cloud, on a server, on a live CD. With SUSE Studio you can build it from your…
So once I am booted up into the live CD environment I am ready to access my email. Once you are in your ProtonMail account you should enable 2FA authentication. You can do so by clicking on settings >> security
Once you enable 2FA you can go to your Account tab and go to single password mode to make things easier. You will always be prompted for your 2FA code upon login as show below:
At this time I am leaving PGP out of this. While my account does have a pre-generated 4096 bit key. I’ll save PGP and it’s various problems for another time.
Also for those that need to access their mailboxes through TOR their is now an onion based address for proton mail it can be accessed at the following URL:
To full announcement can be found here: