VACUUM FULL ANALYZE

The key enrollment that Mint did sounds like registering the Machine Owner Key (MOK). That basically tells the bios that anything signed with that key should be permitted. The MOK is especially required when compiling your own drivers. Anything shipped by a Linux distro should already be signed so that the shim will permit it. SecureBoot is more about making sure your boot files haven’t been tampered with rather than being about preventing the owner from doing something.

You should already be able to boot any modern Linux OS that has support for SecureBoot. Only if you compile your own drivers or kernel would you need to use a MOK. If you do need that, you should be able to enroll another MOK or copy the MOK key files from the Mint install and use those keys to sign drivers in any other Linux distro.

The cli program mokutil will let you view and export your enrolled MOKs.

Text would be more useful than screenshots. Text is smaller to store, easier to translate, and easier to shape to whatever screen a person is using. :)

Use brew to update the core Unix utils such as bash, tar, sed, etc to the latest GNU releases. The mac has really outdated BSD-based versions.

I hope they have a good way of keeping rainwater out of the bins.

Emacs Org Mode would be perfect, but that’s a commitment if you don’t already know Emacs.

It’s common in the US Tech industry. It’s considered “voluntary” because you could always say no and find a different job, or you could negotiate the removal of that clause. Often at the beginning they give you an opportunity to list your existing obligations that would be exempted. Always read the fine print of your employment agreement.

And they keep making it harder and harder to not use a Microsoft Account.

https://www.techradar.com/computing/windows/microsoft-is-removing-known-mechanisms-for-creating-a-local-account

It sounds like the SSL/TLS version or allowed cipher list are configured for higher security on your machine or browser and the sites that are failing are using a lower security config. I’m not sure where that config is on Arch. Try a different browser. Also try fetching the sites with curl just to see if that works. Curl’s verbose mode will also tell you what ciphers it tried.

curl -v https://example.com/

A quick fix might be to disable any ipv6 addresses if you don’t specifically need them. The vpn /could/ be ipv4 only, which /could/ leave your ipv6 free to leak or make ipv6 dns requests.

Assuming that you trust what Proton says, when they receive a (possibly unencrypted) message they re-encrypt it with your key as soon as possible and they don’t log the content. So, after that point, they (or anyone else) can’t read the email contents. If it was also encrypted in transit, then there’s only a small window inside their email processing system where the plaintext was passed from one encryption to the other. It’s only decrypted again in your browser or proton mail app with the key that only you have. It’s not bulletproof, but it’s better than most providers.

Agreed. Theoretically possible, but practically not possible unless you are an embedded hardware engineer with access to Sony’s datasheets and potentially crypto keys. Some sort of external box is much more practical.

assfish are soft and flabby

Your domain name could be ordered to be removed from US-based dns providers, no matter which TLD it is. That would essentially block your website from most US-based viewers without actually shutting down your hosting. Advanced users could still get to it, though. Consider hosting through Tor and a .onion address for more resiliency.

Look into https://simplelogin.io/

They make creating random aliases for custom domains like this easy.

As for the domain name itself, anything that already looks like a mail service is good. “examplemail.com” or “mailexample.com”

Tailscale (https://tailscale.com/) works great for remote access to your private services. Once the wireguard tunnel is established, then the traffic is peer-to-peer (assuming it’s configured correctly) and not through their centralized servers. Even from a mobile device.

You might enjoy reading Extreme Privacy by Michael Bazzell

https://www.goodreads.com/book/show/217289412

How much money did you spend, and how much time overall? Would you do it again?

Agreed. Windows updates will very likely break your single-drive dual-boot at some point. So, use two different drives and use your bios/efi to choose which one to boot.

Edit: check out https://hackaday.com/2021/11/30/linux-fu-the-ultimate-dual-boot-laptop/

Edit 2: Framework 16 looks like it would meet your needs. It has two M.2 sockets for drives. https://frame.work/products/laptop16-diy-amd-7040