Build Your Complete Privacy Stack from Scratch
Why you need a privacy stack (not just one tool)
No single tool protects your entire digital life. A VPN hides your traffic but doesn’t stop data brokers from selling your home address. Encrypted email protects your messages but doesn’t prevent credential theft. Each privacy tool covers a different attack surface.
This guide walks you through building a complete privacy stack, layer by layer, with specific product recommendations from our independent testing.
Layer 1: Password manager (start here)
Your password manager is the foundation. It secures every other account in your stack. Without it, a single breached password compromises everything.
Our picks:
- Best overall: 1Password — $2.99/mo, intuitive design, Watchtower breach monitoring, family sharing
- Best free / open-source: Bitwarden — free tier is genuinely usable, $10/yr for premium
- Best Proton ecosystem: Proton Pass — included with Proton Unlimited, built-in email aliases
- Best Nord ecosystem: NordPass — included with NordVPN bundles, passkey support
See our full best password managers comparison and our 1Password vs Bitwarden head-to-head.
Setup time: 30 minutes for initial setup, 1-2 hours to migrate existing passwords.
Layer 2: VPN (protect your traffic)
A VPN encrypts your internet traffic and masks your IP address from your ISP, Wi-Fi operators, and websites. Essential on public Wi-Fi and for general browsing privacy.
Our picks:
- Best for privacy: Proton VPN — Swiss-based, open-source, independently audited, free tier available
- Best all-rounder: NordVPN — fastest speeds, largest server network, strong no-logs policy
- Best for router installation: See our best VPN for router guide
See our NordVPN vs Proton VPN comparison and our VPN protocol comparison guide.
Setup time: 10 minutes on desktop/mobile, 30-60 minutes for router setup.
Layer 3: Encrypted email (replace Gmail)
Standard email providers like Gmail scan your messages for advertising. Encrypted email providers use end-to-end encryption so nobody — including the provider — can read your messages.
Our picks:
- Best overall: Proton Mail — Swiss-based, E2EE by default, 100M+ users, most mature ecosystem
- Best alternative: Tuta — German-based, post-quantum encryption, slightly cheaper
- Best for business: Mailfence — Belgian-based, includes calendar and documents
See our full best encrypted email comparison and our Proton Mail vs Tuta head-to-head.
Setup time: 30 minutes for account creation, 1-3 hours to migrate contacts and set up forwarding from old accounts.
Layer 4: Data broker removal (clean up your past)
Data brokers collect and sell your personal information — name, address, phone number, relatives, income estimates. Even if you lock down everything going forward, your data is already on hundreds of broker sites.
Our picks:
- Best overall: Incogni — 420+ brokers, Deloitte-assured, $7.99/mo annually
- Best for proof: Optery — before/after screenshot evidence of every removal
- Best for US users: DeleteMe — 15-year track record, human-verified removals
See our full best data removal services comparison and our Incogni vs DeleteMe vs Optery head-to-head.
Setup time: 15 minutes. Provide your info, the service handles the rest.
Layer 5: Identity theft protection (monitor and insure)
Identity theft protection services monitor your personal information across the dark web, credit bureaus, and public records, alerting you to suspicious activity and providing insurance if you’re victimized.
Our picks:
- Best overall: Aura — comprehensive monitoring, $1M insurance, family plans
- Best legacy brand: LifeLock — Norton-backed, strongest brand recognition
- Best Nord ecosystem: NordProtect — bundled with NordVPN plans
See our full best identity theft protection comparison and our Aura vs LifeLock head-to-head.
Setup time: 20 minutes for enrollment and monitoring setup.
Layer 6: Encrypted cloud storage (protect your files)
Standard cloud storage (Google Drive, Dropbox, iCloud) can access your files. Encrypted cloud storage uses zero-knowledge encryption — only you hold the decryption keys.
Our picks:
- Best overall: Tresorit — Swiss-based, strongest security certifications, business-grade
- Best Proton ecosystem: Proton Drive — included with Proton Unlimited, integrated with Mail
- Best value: Sync.com — 2TB for $8/mo, Canadian-based, zero-knowledge
- Best speed: Icedrive — Twofish encryption, strong performance
See our full best encrypted cloud storage comparison and our Proton Drive vs Tresorit head-to-head.
Setup time: 30 minutes for setup, 1-4 hours to migrate files depending on volume.
Layer 7: Hardware security key (physical 2FA)
A hardware security key is the strongest form of two-factor authentication — immune to phishing, SIM swapping, and authenticator app compromises.
Our picks:
- Best overall: YubiKey 5 series — broadest protocol support (FIDO2, OTP, PIV, OpenPGP)
- Best budget: YubiKey Security Key series — FIDO2 only, half the price
- Best open-source: Nitrokey — firmware is open-source and auditable
See our full best hardware security keys comparison.
Setup time: 15 minutes per account you protect with the key.
Layer 8: Privacy phone (for advanced users)
For the highest level of mobile privacy, a de-Googled phone running a privacy-focused OS eliminates Google’s pervasive tracking.
Our picks:
- Best overall: Google Pixel + GrapheneOS — the gold standard for mobile privacy
- Best plug-and-play: Murena Fairphone with /e/OS — pre-installed, no technical setup
See our full best degoogled phones comparison.
Setup time: 1-3 hours for OS installation (GrapheneOS) or zero for pre-installed options.
Layer 9: Parental controls (for families)
If you have children, parental control software protects them online while respecting age-appropriate privacy boundaries.
Our picks:
- Best overall: Qustodio — cross-platform, strong content filtering
- Best for communication monitoring: Bark — monitors texts, email, and social media for concerning content
- Best for younger kids: Norton Family — simple, reliable, included with Norton 360
See our full best parental control apps comparison and our Bark vs Qustodio head-to-head.
The complete privacy stack at a glance
| Layer | Tool | Monthly cost | Priority |
|---|---|---|---|
| Password manager | 1Password or Bitwarden | $0-3 | Essential |
| VPN | Proton VPN or NordVPN | $3-5 | Essential |
| Encrypted email | Proton Mail or Tuta | $0-5 | Essential |
| Data removal | Incogni or DeleteMe | $8-11 | High |
| Identity protection | Aura or NordProtect | $9-15 | Medium |
| Cloud storage | Tresorit or Proton Drive | $0-8 | Medium |
| Security key | YubiKey | $25-55 (one-time) | Medium |
| Privacy phone | GrapheneOS on Pixel | $0 (free OS) | Advanced |
| Parental controls | Qustodio or Bark | $5-16 | If applicable |
Budget stack (essential layers): $11-13/mo Full stack: $25-47/mo + one-time hardware costs
Ecosystem vs. best-of-breed
You have two approaches:
Ecosystem approach (simpler, cheaper)
Use one vendor’s suite for multiple layers. See our Proton Ecosystem Guide or Nord Ecosystem Guide.
Best-of-breed approach (stronger per-category)
Pick the top tool in each category. More accounts to manage but potentially stronger coverage in each area.
Related guides
- Proton Ecosystem Guide — review of Proton’s full suite
- Nord Ecosystem Guide — review of Nord Security’s full suite
- How to Switch from Google — privacy migration guide
- Privacy Tools for Families — family-specific picks