Building a Security Stack for Digital Nomads

Most digital nomads cobble together their security from blog posts and VPN ads. That works fine until you're in a coworking space in Nairobi on sketchy Wi-Fi, or a border agent in Kazakhstan wants to "inspect" your laptop.

Then your patchwork falls apart.

Here's the stack I actually use—hardware, network, identity, data, comms. It's not perfect. But it's kept me working through power outages, border crossings, and hostile networks for three years.

Photo: Unsplash / Mimi Thian

September 2023: The Kazakhstan Border Thing

Almaty airport. 11pm. I'm flying out after a two-week client gig.

Border guard pulls me aside. "Laptop. Open."

This happens sometimes. Usually they just glance at the desktop, make sure you're not smuggling... I don't know, illegal PDFs? Then they wave you through.

Not this time.

He boots my MacBook Air. Points at the screen. "Password."

I unlock it. He starts clicking through folders. Opens Chrome. Checks my browsing history. Opens Finder. Scrolls through Documents.

I'm sweating. Not because I have anything illegal—I don't. But because my Documents folder has client files, SSH keys, API credentials, contracts with NDAs. If he copies any of that, my clients are exposed. If he plants something, I'm screwed.

After five minutes he hands it back. Waves me through.

I got lucky. But that's when I realized: if a border agent demands access, you need a device you can hand over without exposing client data. A decoy.

Since then, I carry two devices: my real work laptop (MacBook Pro, encrypted, locked down) and a lightweight Chromebook ($300) with zero sensitive data. Browser logged into low-privilege accounts, a few PDFs about "travel blogging," some photos. Looks legit. Contains nothing.

If a border agent asks? I hand them the Chromebook. They're happy. I'm clean.

Hardware: What I Actually Carry

Primary laptop: MacBook Pro M2 with FileVault enabled. Hardware-backed Secure Enclave, firmware updates that actually ship. I used to use a ThinkPad X1 Carbon with Linux + LUKS encryption—also solid, but macOS integration with 1Password and Tailscale is smoother for my workflow.

Decoy device: Chromebook (Lenovo Flex 5, $300). Zero client data. Logged into a separate Google account I use for travel logistics. Has my Airbnb confirmations, flight PDFs, a few "digital nomad blogging" docs. Believable.

Before I leave: I update firmware to latest stable, enable secure boot, set a long BIOS password. For macOS: FileVault on. For Windows: BitLocker with TPM-backed PIN. For Linux: LUKS with a high-entropy passphrase + YubiKey for unlocking.

Privacy filter: 3M privacy screen ($40). Narrows viewing angle to ±30 degrees. On planes and in cafés, nobody can shoulder-surf your screen.

Network: VPNs, Travel Routers, and When Hotel Wi-Fi Is a Trap

Consumer VPNs? I use them sometimes (NordVPN, Mullvad). But I don't trust them for client work.

Instead, I run my own WireGuard server on a $5/month DigitalOcean droplet in New York. I control the server, I control the logs (there aren't any), I control who has access (me). I connect via the WireGuard app on macOS/iOS. Clean tunnel back to a known environment.

Firewall rules: SSH access restricted to my home IP and the VPN server. Everything else blocked.

Travel router: GL.iNet GL-MT3000 ($80). Two SSIDs—one hidden for my devices, one guest network for anything sketchy. DNS goes through NextDNS (free tier, $20/year for pro). Auto-updates firmware when it detects a trusted network. In hostile environments (looking at you, Nairobi hotel lobby), I load a firewall profile that blocks all inbound and disables UPnP.

Backup connectivity: 4G/5G hotspot with eSIM. When hotel Wi-Fi dies (and it will), I pivot to cellular. I use Airalo for eSIMs—preload 5GB for $10-20 depending on country. Set a usage alert at 80% so I'm not surprised by overages.

Actually, scratch that—I also set an alert if usage spikes unexpectedly. That's usually a sign someone's latched onto my hotspot without permission.

Identity: Passwords, 2FA, and Why SMS Is Terrible

Accounts are the blast radius. If someone gets your email password, they can reset everything else.

So here's what I use:

Password manager: 1Password ($7.99/month for Families). Has "travel mode"—you mark specific vaults as safe, and it wipes the rest from your device until you're back home. So if a border agent demands access, they only see your "travel" vault with hotel bookings and flight confirmations. Not your client AWS keys.

2FA: YubiKey 5C NFC ($55) as primary, backup YubiKey stored separately (at my parents' house). Every critical service—email, bank, GitHub, AWS—uses the YubiKey for WebAuthn/FIDO2. Where the provider doesn't support hardware keys (looking at you, random SaaS apps), I use 1Password's built-in TOTP generator. Never SMS.

Why not SMS? Because SIM swapping is trivial. Someone calls your carrier, social engineers the support rep, and ports your number to their SIM. Now they get your 2FA codes. I've seen this happen to three people I know. Don't use SMS for anything important.

Identity segmentation: I have three profiles. Work email for client stuff. Travel email for Airbnb/flights. Personal email for friends/family. Each uses a different password manager vault. If my travel email gets compromised (happened in 2022, long story), my client accounts are untouched.

For services that force SMS verification? I use a VoIP number (Google Voice, free). I can redirect or freeze it remotely. If it gets compromised, I burn it and get a new one.

Layer 4: Data Architecture and Backups

Local storage will fail right when you cannot visit an electronics store. Follow the 3-2-1 model. Keep primary data on your encrypted laptop, replicate to an encrypted SSD (Samsung T7 Shield is rugged and fast), and push nightly snapshots to a cloud provider where you control the keys.

• Primary: encrypted internal SSD, with files organized into project-based containers.
• Secondary: encrypted external SSD stored in your lodging safe when not in use.
• Tertiary: object storage bucket (Backblaze B2 or Wasabi) synced over your VPN with lifecycle policies.

Automate backups with restic or Borg, both of which support deduplication and compression. Schedule the job to run when the VPN is active, and log success or failure to a monitoring service (Healthchecks.io works well). Keep a printed recovery checklist in your kit so you can rebuild under stress.

Layer 5: Communications Playbook

Your stack is only as strong as your communications discipline. Establish three channels: routine, sensitive, and emergency.

• Routine: Email with PGP for sensitive attachments, Slack/Teams through your VPN, and scheduled office hours with clients.
• Sensitive: Signal with disappearing messages for contract negotiations, Proton Mail for high-stakes correspondence, and an encrypted voice platform like Silent Phone if your client supports it.
• Emergency: Garmin inReach Mini for SOS and check-ins when networks collapse, plus a trusted confidant who knows the code words to verify your identity.

Document exactly when to escalate from routine to sensitive, and from sensitive to emergency. The trigger might be a compromised coworking network, a confiscated device, or a natural disaster. Decisions made ahead of time keep panic out of the cockpit.

Layer 6: Physical Security and Situational Awareness

Coworking spaces blur public and private boundaries. Treat them as untrusted. Position yourself with a clear line of sight to entrances and keep your bag tethered to a fixed object. Loop an RFID-blocking sleeve through the tether so your passport cannot be snatched in a quick grab.

Adopt a daily sweep routine: before leaving a workspace, check for USB drives or cables you did not bring. Use a small UV flashlight to inspect door strikes in your lodging and verify they have not been tampered with. When you move to a new rental, change the safe code immediately and wedge the interior doors at night.

Carry a compact Faraday pouch. Drop your phone inside during sensitive meetings or while crossing borders. If a security guard insists on holding your device, power it down first; cold boot attacks remain rare but real, and a powered phone streams data you cannot control.

Layer 7: Operational Procedures

Technology buys you time, but behavior keeps you safe. Define morning and evening rituals that reinforce good habits. Each morning, run a 60-second check: confirm your VPN is connected, verify backups ran overnight, and review calendar invites for unexpected links. Each evening, reconcile expenses, log unusual events, and stage gear for the next day.

Run a weekly red-team audit on yourself. Spend thirty minutes trying to break your own safeguards—can you access critical accounts without a hardware key? Are old login cookies lingering in the browser? Did you leave sensitive notebooks in a visible place? Document findings and adjust controls.

Layer 8: Exit Strategy

Nomads often extend stays until visas expire or infrastructure collapses. Build an exit framework early. Track visa deadlines, embed reminders in your calendar, and pack a “bug-out” pouch with essentials: passport, encrypted SSD, cash, and medication. Keep it ready by the door.

Maintain a short list of relocation hubs with stable connectivity and relationships you can activate quickly—a trusted landlord, coworking host, and local fixer. If the environment deteriorates, switch to a lighter digital footprint: shut down non-essential services, forward mail to a digital address, and alert clients of the contingency plan. Exit on your terms, not the environment’s.

Is This Paranoid? Maybe.

After that Kazakhstan border thing, I rebuilt my entire stack. Decoy device, hardware keys, travel mode, encrypted backups, the works.

Total cost: ~$800 upfront (Chromebook, YubiKeys, SSDs, router) + ~$30/month (1Password, NextDNS, DigitalOcean droplet).

Is it overkill? For most people, probably yes.

But I work with clients who pay me $50K+ per year. If my laptop gets compromised at a border crossing or on hostel Wi-Fi, those relationships are done. If I lose client data, I'm legally liable. If I miss a deadline because my laptop died and I have no backups, I lose the contract.

So yeah, I carry a decoy device. I run my own VPN. I use hardware keys for everything. I back up to three locations.

The nomads who treat security as optional are gambling. And eventually, the house wins.

Build the stack. Rehearse it. Update it every six months. And when a border guard says "laptop, open," you'll hand them the Chromebook and walk away clean.