Digital Compartmentalization: Separate Identities Without Leaking Metadata

You open Tor Browser for the research persona, but the system clock reads GMT-3 and the keyboard layout is pt-BR ABNT2. Three requests later, the fingerprint tells the story: Brazilian, Linux, Sao Paulo timezone, 2560x1440 monitor. Compartmentalization broken before the first login. The Basilisk team lives this daily: separating identities is not about a fake name on a form, it is about every bit leaving the machine telling the same coherent story for that persona. This post walks through the layers, from hardware to DNS, without illusions.

Start with the threat model before installing anything. A public bug-bounty persona on LinkedIn does not need the isolation of a researcher tracking a state APT group. Define three tiers: public persona (attributable to you), professional persona (pseudonymous, linkable to employers) and research persona (non-attributable). For each tier, list adversaries, capabilities and what you can lose. Without this you will install Qubes and still log into personal Gmail from the wrong session. See OPSEC for Security Researchers: Building a Personal Threat Model for a personal threat-model template that fits on one page.

Hardware is the first boundary. ThinkPad X1 with Coreboot, MacBook with Lockdown Mode or a dedicated Framework: the rule is that a device does not cross personas. If you use the same laptop for banking and offensive research, compromising one end kills both. When the budget does not fit three machines, run Qubes OS with disposable qubes per persona, or Whonix in a dedicated VM. The Tails, Whonix and Qubes comparison in Tails, Whonix or Qubes OS: Which to Pick for Each OPSEC Scenario helps pick by scenario; spoiler: Qubes for daily compartmentalized use, Tails for single amnesic sessions.

Browsers deserve their own chapter. Firefox with separate profiles is not enough: cookies, cache and fingerprinting leak across windows. Use Mullvad Browser or Tor Browser for the research persona, Brave with profiles for the professional one, and Safari for personal, each in its own VM or at least in Firefox Multi-Account Containers. Disable WebRTC, normalize resolution via letterboxing, keep User-Agent identical to the Tor crowd. Never install custom extensions in the non-attributable persona: each add-on adds entropy. On Tor specifically, read Real Anonymity with Tor: What Works and What is Myth in 2026 before assuming three hops fix everything.

Network and DNS are where most people slip. The research persona exiting the same residential IP as the personal persona collapses the separation in 30 seconds of correlation. Use Mullvad or IVPN with WireGuard inside distinct VMs, or route the research persona through Tor by default. DNS-over-HTTPS to the VPN provider resolver, never the ISP one. In Qubes, configure sys-vpn and sys-whonix as separate NetVMs per qube. Check for leaks with dnsleaktest.com and tcpdump on the physical interface before trusting anything. VPN marketing lies; packets leaving the NIC do not.

Metadata is the invisible heel. You can have a flawless persona and publish a PDF with your real name in Author, or a photo with EXIF GPS pointing at your balcony. Before any publication, run exiftool -all= on the file, open PDFs with qpdf --linearize and review properties in LibreOffice. Office documents carry persistent GUIDs across versions that link files from the same machine. See Metadata Hygiene: Stripping EXIF, PDF and Office Before You Publish for the cleaning workflow by file type, and add mat2 as an automatic layer before uploading anything.

Communication must follow the same compartmentalization. Signal with your personal number on the research persona is operational suicide; use SimpleX Chat or Session with per-persona identities, installed in separate Android profiles or on GrapheneOS work profiles. Never cross contacts between personas, not even by a notification mistake. Email follows the same logic: dedicated ProtonMail per persona, accessed only from the matching VM, no desktop client syncing everything. To pick the right messenger by threat model, Comms OPSEC: Signal, SimpleX and Session Technically Compared has the technical comparison that avoids choosing by hype.

Finally, operate separation as routine, not as a project. Monthly audit: list every persona, every account, every device, every IP used. Look for cross-overs in your own OSINT following Ethical OSINT: Investigating Your Own Digital Footprint with Maltego and Spiderfoot with Spiderfoot aimed at yourself. If the output links two personas that should be isolated, the flaw exists and is exploitable. Practical takeaway: today, pick one persona and map it on a sheet with three columns, device, network, identities, and mark every cell where it shares something with another persona. Each marked cell is technical debt to close within the next two weeks.