Recently, I started sending/receiving documents to/from untrusted sources. In my threat model, this requires extra operational security to prevent privacy exposure and security risk.
Since the offical guide is not so detailed for Windows, I decided to write one while installing on a Windows 11 LTSC.
First, in Windows Terminal/PowerShell, run wsl --install to setup WSL2. Read my previous post for more detail.
Because the latest verisons of Dangerzone 0.9.1 and docker desktop 4.44.3 have unsolvable bug (reports unknown error '2'), I have to choose the ealier version which works properly.
Install docker desktop 4.41.2 while checking Use WSL 2 and Allow Windows Containers, open docker desktop after installation to start the docker engine in the background.
Install Dangerzone 0.9.0 and open after installation, it will install its container image automatically.
If everything goes well, Dangerzone will be ready to take untrusted documents/images such as PDF, DOCX and PNG. If not, use docker system prune -af to start over with different installations.
Although, Qubes OS is the best tool to maximum the security level. But for my current risk level, Dangerzone or the old good Sandboxie is adequate. Most importantly, they are convenient enough to blend into day-to-day level of operations or digital hygiene, unlike switching between VMs.
Sending files is much easier to manage. Using exifcleaner to remove the metadata is all I need if the content is fine.
While checking sensitive information inside text body or among pixels can be another story, local LLMs and Stable Diffusion are handy to mask it up.