Privacy Stacks
Threat-Model StacksIntermediate

Privacy Tools for Remote Workers and Digital Nomads

An affiliate-free privacy stack for people who work from airports, cafés, and hotels — VPN, encrypted DNS, password manager, encrypted cloud storage, and secure calls that protect you and your clients on hostile Wi-Fi.

July 7, 202630 minutesIntermediate

Privacy Tools for Remote Workers and Digital Nomads

The stack that keeps you — and your clients' data — safe on Wi-Fi you don't control.

Who this is for and what it defends against

You work from airports, hotel lobbies, coworking spaces, and cafés, on networks a stranger administers. That's the exposure: hostile or public Wi-Fi that can watch or tamper with your traffic, account takeover while you're logged into a dozen client systems, client-data leakage if a laptop is lost or a file syncs in the clear, and cross-border scrutiny of the device you carry.

This stack insulates your connection, compartmentalizes your credentials, and shields the files and calls that carry client work. It does not cover physical device seizure at a border, full-device anonymity, or a compromised endpoint — if your laptop itself is infected, no network tool saves you.

One promise up front: this stack is affiliate-free. Most "nomad security" roundups are a single VPN pitch in disguise. A VPN is one layer of six here, and none of these links pay us.

The stack, by layer

Network — Mullvad

Audited · Public GitHub · No account or email

On a network you don't control, a VPN is the first move: it insulates all of your traffic from the local network and from whoever runs it. Mullvad is independently audited and takes no email or account — you're a random number, not a profile — which matters when you're connecting from jurisdictions you don't know. Prefer a no-logs alternative? iVPN is a solid swap.

Network — encrypted DNS with DNScrypt-proxy 2

Public GitHub

Even with a VPN, your DNS lookups — the list of every domain you reach — can leak and reveal where you go. DNScrypt-proxy 2 encrypts and authenticates those lookups so the local network can't read or forge them. Want something with zero setup? Control D gives you customizable filtering DNS without editing config files — the friction-for-control tradeoff is yours to make.

Identity — Bitwarden

Public GitHub · Free tier

You're signed into client dashboards, email, and infrastructure all day; one reused password is a standing account-takeover risk. Bitwarden gives every account a unique random password, syncs across your devices, and its clients are public on GitHub. If you'd rather keep the vault entirely offline, KeePass (open-source) is the local-only pick; ProtonPass (open-source) is the end-to-end-encrypted cloud option.

Files — Cryptomator

Public GitHub · Client-side encryption

Client files that sync through Google Drive or Dropbox are readable by the provider and exposed if an account is breached. Cryptomator encrypts them client-side, before they leave your machine, so the cloud only ever holds ciphertext — and it works on top of whatever storage you already use. Want native zero-knowledge storage instead of a layer? Filen encrypts on-device by default.

Comms — Signal for calls, Element / Matrix for the team

Signal & Matrix: open-source · Public GitHub

Client calls and team chat carry the same sensitive work as your files. Signal end-to-end encrypts one-to-one voice and video with minimal metadata — the clean pick for a private client call. For ongoing team collaboration, Matrix (with the Element client) gives you decentralized, end-to-end-encrypted rooms you can even self-host, so your team's history doesn't live on someone else's SaaS.

Tradeoffs — the friction is real

Layer The honest cost
Mullvad Some sites block VPN exit IPs; keep it toggleable
DNScrypt-proxy 2 Config-file setup; Control D trades control for ease
Bitwarden Master password is the whole vault; and it needs sync access
Cryptomator Adds an unlock step to every file session
Signal / Matrix Everyone on the call or in the room has to adopt it too

The recurring theme: privacy on the road costs a few seconds of friction per session. That's the price of not trusting a network you can't see. Pick the easier variant (Control D over raw DNScrypt, Filen over Cryptomator) when a teammate won't tolerate setup — just know what you traded.

Frequently asked questions

What privacy tools do remote workers actually need?

Six layers: a VPN for untrusted networks, encrypted DNS so your lookups don't leak, a password manager for account-takeover resistance, client-side-encrypted cloud storage for client files, and end-to-end-encrypted calls and team chat. A VPN alone is the common mistake — it's necessary but not sufficient.

Is public Wi-Fi safe if I use a VPN?

Much safer. A VPN insulates your traffic from the local network and whoever runs it, which neutralizes the main café- and airport-Wi-Fi risks of snooping and tampering. Pair it with encrypted DNS so your domain lookups don't leak separately, and you've covered the realistic threats on an untrusted network.

How do I protect client data while working abroad?

Encrypt it before it leaves your device. A client-side tool like Cryptomator turns any cloud folder into ciphertext the provider can't read, so a breached storage account or a lost laptop doesn't expose the underlying files. Combine that with a password manager and encrypted calls so the credentials and conversations around the data are protected too.

Do I still need encrypted DNS if I have a VPN?

Usually the VPN handles DNS, but leaks happen — misconfigured clients, split tunneling, or dropped connections can expose lookups to the local network. Running encrypted DNS such as DNScrypt-proxy 2 closes that gap by encrypting and authenticating the lookups themselves, independent of the VPN tunnel's state.

What's the best encrypted cloud storage for freelancers?

Two good approaches: layer Cryptomator over the storage you already use so files are encrypted client-side, or move to native zero-knowledge storage like Filen that encrypts on-device by default. The layer is more flexible; the native option is simpler. Either keeps client files as ciphertext the provider can't read.


Six layers, one setup session. Built for the person whose office is wherever the Wi-Fi is.

Tags

remote-workdigital-nomadvpnthreat-modelencrypted-storage

Build your stack

Browse the vetted directory to compare every tool, or run a free check on your own exposure.