Richard Stallman says that Facebook has used not users. And regardless if those “used” are willing, he’s right. As Mark Zuckerberg pointed out in his recent congressional testimony — Facebook will always be free. This extremely expensive service is molded around using your data to make money. Of course it’s free. They don’t need your money!

It’s hard to go a day without learning how Facebook, Twitter, and a variety of other social networks allowed third party marketing and research agencies access to your data. Even though, in many cases, you “allowed” this by clicking agree on a box that no one ever reads, the thought is still troubling.

Even if you weren’t caught up in the massive data collection effort by Cambridge Analytica, you still are tracked by Facebook as you browse the web. Every site that uses Facebook’s like box or tracking code allows the social network to collect a list of each site you visit.

Privacy advocates like Richard Stallman and Edward Snowden have been cautioning about using Facebook for years, but these concerns only resonated with the mainstream when the Cambridge Analytica story broke. In that moment of media spotlight (one I hope doesn’t fade), people saw Facebook for what it really was — a data collection and gathering tool.

I know I’m being hard on Facebook, so it’s only fair that I disclose it has benefited my life. The social network has connected me with old and new friends. But with privacy concerns on everyone’s mind, I took the opportunity to collect contact information from friends I had only interacted with through Facebook. I’ve managed to get several of them signed up with Signal or Telegram as alternate messengers, and even added a few to alternative networks.

The Facebook a̶d̶d̶i̶c̶t̶i̶o̶n̶ habit is hard to break.

Throwing the Baby Out with the Bathwater

Despite my gradual distance from Facebook and social networking in general, I still benefit from it enough to not warrant its disposal from my life. I pondered a way to stay connected but without giving up copious amounts of personal data and browsing history.

I wanted my cake and eat it too.

It soon dawned on me that I already have a way to segment sections of code and data — virtualization. The concept is simple: containerize poorly-behaving applications and services into sandboxes where they can do no harm.

Virtualization with Benefits

Virtualization is not just about privacy. If you work on multiple projects, you can containerize data, tools, and credentials into portable one-file disk images that will work on any system.

Protecting that data is a breeze by using disk encryption inside the image. The data you need for that project will be safe and secure instead of stored in the main system where non-related processes can access.

Managing multiple versions of Ruby, Python, or even entire library tool chains is no longer a chore. Keeping them isolated in their own virtual disk image saves many version headaches.

Enter Linux

Windows and macOS are great operating systems but both suffer from privacy issues. They are enormously capable but are increasingly subject to data collection techniques. These processes are often referred to as a far more pleasant-sounding word: telemetry. While sending to Apple or Microsoft data about what apps you use isn’t inherently bad, crash reports can contain personal data (including document contents and chat logs). If this doesn’t concern you, your company or clients may legally bind you to retain the privacy of this data.

It’s possible to turn telemetry and crash reporting off for macOS (for now) but disabling this on Windows 10 is difficult at best. There are solutions, but most are out of reach or too difficult for your casual user to do. Even if this data isn’t sent to Microsoft, it is often still collected locally, leaving it available for malware to exploit.

Because of these concerns, it is best that your hypervisor (the operating system that runs on bare metal) be some flavor of Linux or BSD. Since Linux is most accessible and the most popular alternative, that’s what we’ll focus on in this article.

Stuck Windows

Before we dive into Linux, there are situations where running Linux on actual hardware isn’t possible or feasible. While these cases are rare these days, it isn’t a mortal sin to use Windows. If you’re stuck on this platform, you can still create virtual machines using Linux and gain most of the benefits of containerizing bad applications and websites.

Unless you own a license of VMWare Workstation, your best option is to use Oracle’s VirtualBox for Windows. If you’re on a 64-bit system with a processor that supports virtualization (and nearly every system made within the last ten years does) it’s a fast and feature-packed solution.

If you own Windows 7, 8.1, or 10 Professional you can install Hyper-V and run virtual machines. The Linux kernel has native support for Hyper-V, but you won’t have the desktop integration features that VirtualBox provides.

If you are forced to use Windows as your main system, you can install only the pieces of software that absolutely require Linux and won’t work under Wine, like Adobe Creative Cloud and recent Microsoft Office versions, then save the rest of the software you need for Linux containers.

Installing Linux

Getting a host Linux distribution installed is a broad and possibly complicated topic depending on your specific hardware and chosen distribution. However, there are some general guidelines I can offer that will help make a system better for virtualization.

First, unless you have a specific need for certain drivers or a unique desktop experience, I recommend sticking with a base distribution instead of derivatives. Linux Mint and Ubuntu are fantastic distributions for beginners, but the bloat that comes with these packages isn’t ideal for this project. I would select a long term, stable system like Debian or CentOS. Rolling distributions like Arch would be suitable if you are careful to examine pending updates to ensure they are compatible with your hardware and virtualization. In this article, we’ll be using Debian 9, but I’ll try to keep commands agnostic so that they will work on other systems with little to no modification.

I usually use drive encryption on all my operating systems, but you may wish to give this a second thought on your hypervisor. I have found more value in encrypting guest installs over the host for better performance. I’d rather have a guest disk image that I can carry to another computer than rely on that target computer, USB device, or network connection to be secure. That said, if you’re paranoid, encrypting both the host and guest is a completely feasible option, just remember you will pay a small performance penalty.

VirtualBox comes with native support for encrypted VMs but I prefer to use the cryptsetup / LUKS full-disk encryption offered with most Linux distributions. This prevents lock-in to one particular virtualization technique.

I also suggest setting up only a minimal, lightweight desktop environment. Openbox would be ideal, but LXDE, Xfce, and MATE would be great choices as well. While I like Cinnamon, KDE, and GNOME, these desktops are more resource intensive. I’d rather have those extra CPU and GPU cycles for my virtualized guests. You can choose one (or several) of these desktops during install, or later via the tasksel command.

While your hypervisor system may have a browser installed (Debian comes with Firefox ESR), you shouldn’t use it for general surfing (and certainly never log into any service with it). Its primary purpose will be to download Linux or Windows ISOs if you don’t already have them.

Choosing a Virtualization Strategy

On Linux, you have two primary virtualization systems: KVM and Oracle’s VirtualBox. KVM is baked into the Linux kernel, whereas VirtualBox is a stand-alone piece of software. It would be difficult to say one of these solutions is objectively superior, but you may have a preference or be more familiar with one over the other.

There is no wrong choice, but I would strongly advise using Oracle’s VirtualBox unless you are comfortable with the Linux command prompt and willing to occasionally dig into the internals of KVM.

Installing VirtualBox in Linux is generally done through the package management system, but on Debian 9 you must activate the stretch-backports repository by adding this file to /etc/apt/sources.list:

deb http://ftp.debian.org/debian stretch-backports main contrib

Save this file, then run:

apt update

apt install virtualbox

For KVM, run:

apt install qemu-kvm libvirt-clients libvirt-daemon-system virt-manager virt-viewer bridge-utils

Then add your user to the libvirt and libvirt-qemu groups:

adduser YOURUSER libvirt

adduser YOURUSER libvirt-qemu

(replace YOURUSER with your username)

With KVM, you may wish to add a bridge to your network configuration. This is not required unless you want your guest to obtain an IP address on the local network. For general web browsing, this isn’t needed, as KVM will automatically assign an IP from the integrated DHCP guest service, but if you wish to run SSH or any other server in this guest a bridge will be helpful.

On Debian 9, this would entail adding the following to your /etc/network/interfaces file:

auto br0

iface br0 inet static

address 192.168.1.2

network 192.168.1.0

netmask 255.255.255.0

broadcast 192.168.1.255

gateway 192.168.1.1

bridge_ports eth0

bridge_fd 9

bridge_hello 2

bridge_maxage 12

bridge_stp off

In the above example, replace the networking values with the desired bridge settings and replace eth0 with your primary network card listed in the interfaces file. If you don’t see it listed, run:

ip link show

For more details about network bridging in Debian, please see the Network Bridging page on the Debian wiki.

After this, it’s easiest to just reboot. This will load the bridge and any appropriate modules needed.

Choosing a Virtual Storage Strategy

In my computers, I generally use a 256 or 512 GB SSD drive for the operating system and applications and a 2 TB or greater metal drive for data. Since this is an increasingly common configuration, here are my recommendations for virtual disk images:

· For virtual machines where disk performance is vital and install size and data is small, put the entire disk image on your SSD drive.

· For virtual machines where disk performance is vital and data generated is large, create an OS disk image on the SSD drive and a data image on the data drive.

· If performance is not important and you have plenty of space, create the disk image on your data drive to save space and wear on your SSD disk.

If your configuration uses entirely SSD or metal drives, or if you have one drive in your system, then this wouldn’t apply.

For backup purposes, it’s best to shut down virtual machines before backing up their disk images to prevent data loss. I have backed up disk images on live systems without issue, but it never hurts to be cautious.

Since you can contain an entire virtual machine in a one or two files, carrying them from one machine to another (even via thumb drive) is easy.

Creating a Template

Unless you want to install Linux from scratch each time you want to create a new container, it’s best to create a template. To do this, create a virtual machine and give it as small a disk image as possible. Install your operating system of choice.

Before installing, keep in mind that this configuration will be mirrored to other virtual machines of the same operating system version you use in the future. Because of this

For maximum flexibility, do a text-mode install and skip installing a desktop environment. This will reduce install size and be perfect for future VMs that don’t need a desktop.

Update the OS and set whatever preferences you like for all your machines but do not install any software unless you expect it to be on every virtual install.

Finally, install any applicable guest extensions. If you’re using a Debian 9 guest on VirtualBox, I’ve found installing the guest additions via the menu (Devices -> Install Guest Additions) is the best method. If you aren’t running a desktop environment, you’ll need to run:

mount /media/cdrom

then run the *.run file to install. For maximum convenience, copy the *.run file to your home directory as you may have to re-run it upon kernel upgrade.

Once you are happy with how it’s running, shut down the virtual machine (don’t suspend it) and back the file up on removable media in case something goes wrong.

Repeat this process for any other distribution or operating system you may wish to use and name it appropriately so you can easily distinguish it for the next step.

You can check out the Debian VirtualBox wiki page for more details.

Setting up the Friend Zone

Now it’s time to create a container just for those pesky social apps we can’t live without. In VirtualBox, right click on the template VM and click cloned. You’ll want to create an independent clone and not one linked to the template. For KVM, you can do the same in the graphical Virtual Machine Manager.

Once the clone is complete, fire it up, load your browser, and sign in to Facebook, Twitter, or any other social platform of your choice. From now on, this will be your ONLY access to these networks. Do not browse any other sites on this VM, and don’t log into Facebook on any other virtual machines.

Facebook and friends’ ability to track you will be limited to that container. You’ve put the big blue social network in the friend zone.

All the Containers

Once you have your social networking playground established, it’s time to consider how you want to segment other projects. Perhaps you’d like to create a VM for each of your clients — installing the tools, keys, saved passwords, and other details necessary to work on that job. If you work for a company, a work VM might be incredibly helpful. In either case, just use the clone feature as described above.

In my case, I work with a variety of programming languages and tools. In some cases, I need to work on an ancient Ruby on Rails 2.x project that requires Ruby 1.8.7 and a rather antique set of gems. In others I need the most modern Rails gems and Ruby interpreter. I know tools like rvm and rbenv make managing multiple Ruby versions and gemsets easy, but with containerization you never have to worry about conflicts or forgetting which Ruby version is active. PHP developers maintaining projects built with PHP 5.6 and PHP 7.x will find this approach far easier as well.

Breathing Room

If the project demands larger disks, you can expand your initially small image from the template. To do so, create the clone then, before powering on the machine, resize it according to the instructions below:

KVM

qemu-img resize DISKIMAGE.qcow2 +20G

(replace DISKIMAGE.qcow2 with the filename of the image, and +20G with the desired size increase)

VirtualBox

VBoxManage modifyhd DISKIMAGE.vdi –resize 40960

(replace DISKIMAGE.vdi with the filename of the image, and 40960 with the new disk size in megabytes)

VPN Usage

Virtual private networks are an excellent way to keep your ISP from snooping on your internet traffic. However, latency issues may keep you from wanting to send all of your traffic through your favorite VPN provider.

Virtualization makes this easier to manage by allowing you to only use your VPN in the containers you wish. You may not care about protecting your online gaming or Netflix streaming but want to encrypt traffic pertaining to your email or online banking. With this strategy you can use your VPN in the containers you wish and leave it off for the rest.

Remote Access

If you need remote access to your virtual machines, or you’d like to SSH into them, you can do that easily with either platform. In VirtualBox, click on the Machine menu then click Settings (or right click the machine in the list and click settings), then pick Remote Display in the Display section and enabled the server and configure it as you like.

In KVM, click on the Display VNC item under the virtual machine details section, pick VNC, and set a password.

In either case, you can connect either locally or via your local network. If you create a VPN you can even connect from a remote location.

For SSH, you’ll need to forward port 22 to the local machine. In VirtualBox, go to the VM settings and click Network then click Port Forwarding under Adapter 1. In the next window, click the add button and enter “SSH” for the name, “127.0.0.1” for the host IP, “2222” for the host port (or any other desired port number so that it doesn’t conflict with local SSH), “0.0.0.0” for the guest IP, then “22” for the guest port. Adjust the guest port if you have changed the port SSH runs on for the virtual machine.

To connect via SSH, use “127.0.0.1” for your IP and the port you chose (in this case, 2222), like so:

ssh root@localhost -p 2222

(adjust root to match the desired username if applicable)

For KVM, use the bridge method as described above. Then, simply connect via SSH to the local IP as you would any other machine.

Conclusion

We’ve covered a lot of material in this guide, but there are many more possibilities with virtualization. In future articles I hope to cover advanced topics like attaching a GPU to a Windows guest for gaming under Linux, linked clones, automatic orchestration, and more. For now, using this guide, you have the steps necessary to help take back your privacy and better organize the segments of your computing life into logical containers.

This is the strategy I used to help reclaim my privacy. I’d love to know your thoughts as well as any techniques you practice to keep your computing secure and your personal data safe.