opsec
Compartmentalization OPSEC: One Identity per Purpose
Compartmentalization separates your identities, devices, and accounts so a breach in one area can't cascade across everything. Here's how to build it.
Keep identities, accounts, and devices strictly separate so one slip does not collapse everything. When A and B never share hardware, logins, or channels, learning one reveals nothing about the other.
Most OPSEC failures aren't spectacular technical attacks. They're one accidental cross-contamination — one login, one email, one shared IP address — that links what was supposed to stay separate.
One Identity per Purpose — the Cardinal Rule
Every identity you operate under should have a single, defined purpose. Your professional identity, your personal identity, your pseudonymous researcher identity, your burner account for sensitive forum access — each is a separate compartment.
The rule is strict: an identity never touches another identity's infrastructure. Different email providers. Different passwords (never shared, never reused). Different browsers or browser profiles. Different VPNs or Tor circuits where applicable. Different physical devices when the threat model warrants it.
This is not paranoia for its own sake. It's containment architecture. When a breach happens — and at some point, it will — a well-compartmentalized setup means the damage is bounded. One compartment burns; the others survive.
Compartmentalization at Four Layers
Effective compartmentalization operates at four distinct layers. Each layer adds isolation. Which layers you implement depends on your threat model.
Layer 1: Device. Different physical hardware per identity or purpose. A work laptop, a personal device, a Tails USB for high-risk sessions, and possibly an air-gapped machine for the most sensitive work. Device-level compartmentalization is absolute — the OS, the hardware identifiers, and the physical location of use are all separate.
Layer 2: Operating system / virtual machine. If separate physical hardware isn't practical, separate operating environments come next. Qubes OS implements this as the core of its security model — each "qube" (lightweight VM) is isolated from every other. A compromised browser qube can't read files in your vault qube. Whonix-on-Qubes adds a layer of network isolation on top.
Layer 3: Browser profile. Firefox's Multi-Account Containers extension (available in standard Firefox) lets you run multiple isolated identities within one browser, each with separate cookies, session storage, and cache. Different containers don't share state. This is useful for separating five or six low-sensitivity identities on a single machine, but it's not a substitute for device or OS-level separation when the threat model is serious.
Layer 4: Account / credential. Every compartment has its own email address, its own set of passwords (stored in a dedicated, isolated password manager instance if needed), its own phone number or no phone number at all. No shared credentials, ever.
Hardware Compartmentalization
Physical device separation is the simplest and most reliable compartmentalization method, and it's also the one most people skip because it's inconvenient.
The minimum setup for most researchers and activists is three devices: a personal machine used for everyday tasks and personal identity, a work machine used strictly for professional identity and sensitive research, and a Tails USB booted on whatever hardware is available for high-risk sessions (Tails leaves no forensic trace on the host machine).
For the highest-risk threat models — sources in active investigations, activists in authoritarian states — an air-gapped machine (never connected to any network) for handling the most sensitive documents adds another layer. Data moves to and from the air-gap via USB drives that are dedicated to that purpose and used nowhere else.
The threat model question: would forensic analysis of my devices reveal connections between my compartments? If yes, hardware separation is necessary.
Software Compartmentalization
For those who can't or won't run multiple physical devices, software isolation is the next line.
Qubes OS is the gold standard. It runs each identity and workflow in a separate Xen-based VM with no shared kernel. A malicious PDF opened in a disposable VM can't exfiltrate files from a vault VM. Even the network stack is isolated — the sys-net and sys-firewall qubes handle networking, and other qubes route through them without being directly on the network. We recommend Qubes for security researchers, journalists handling sensitive documents, and anyone whose threat model includes targeted malware.
Whonix runs as a VM pair — Workstation and Gateway. The Gateway connects to Tor; the Workstation runs behind it. Even if the Workstation is compromised, the adversary only sees the Tor exit node, not your real IP. Whonix-on-Qubes combines both models.
Firefox Multi-Account Containers — useful for separating day-to-day browser identities (work, personal, forums) without operational isolation. Not appropriate for genuinely sensitive compartments where OS-level separation is required.
Practical Patterns and the Traps to Avoid
The biggest trap in compartmentalization isn't failing to set it up — it's a linking error after setup.
The linking error scenario: You've maintained a pseudonymous identity for eight months. One afternoon, tired and distracted, you log into your pseudonymous forum from the browser you normally use for your real-identity Google account. Google's tracker was loaded in another tab. The association between your real browser fingerprint and your pseudonym is now in an ad-tech database. Game over.
This specific failure happens often enough that it has a name in OPSEC circles: "compartment bleed." The fix is operational discipline, not better tools. Tools help — browser profile isolation makes the mistake harder to make. But the only reliable protection is consistent behavior.
Other patterns to avoid:
- Using the same writing style across compartments. Stylometric analysis can link pseudonymous and real-identity writing with surprising accuracy.
- Same posting times across accounts. Behavioral metadata is linkable.
- Shared infrastructure. If pseudonymous identity A and real identity B both connect from the same home IP at the same time, they're linked, regardless of what identities are claimed.
- Reusing any credential. One leaked password that appears in multiple compartments collapses the separation completely.
Threat Model
Compartmentalization addresses the adversary who has partial information and is trying to expand it. The goal is to make expansion hard.
A data broker aggregating your digital footprint can link accounts through email addresses, phone numbers, and browser fingerprints — all linkable data points that compartmentalization removes. A law enforcement agency subpoenaing records finds each compartment returning no useful links to others. A targeted attacker who compromises one device or account finds that the compromise doesn't extend to your other identities.
The adversary compartmentalization doesn't address well is one who has compromised your physical environment — malware on a device before compartments were established, or physical access to your hardware. Tails OS partially addresses this by running from a clean state on every boot, leaving no persistent trace on the host machine.
Start your compartmentalization plan from your threat model. Don't build complexity you don't need. Build exactly the compartments the model demands, then maintain the discipline to keep them separate.
Frequently Asked Questions
How many compartments do I need?
As few as your threat model requires and no more. Over-compartmentalization creates friction that leads to mistakes. A journalist might need three: personal, professional, and source-facing. A privacy-conscious civilian might need two: real identity and pseudonymous browsing. An activist in a high-risk environment might need more. Start with the minimum.
Can Firefox containers replace Tor for anonymity?
No. Containers isolate browser state (cookies, sessions, localStorage) per identity but don't change your IP address, browser fingerprint, or the fact that your ISP can see all connections. Containers are an account-separation tool, not an anonymity tool. For anonymity, use Tor Browser or Tails.
What happens if I make a linking error?
Assess first: what was linked, to what, and who could have captured it? If it was logged into an ad-tech tracker, your options are limited — assume the link is in a database somewhere. If the link was only in your own logs or a service you control, you may be able to minimize exposure. Either way, treat it as a compartment breach and consider retiring the affected identity.
Is Qubes OS necessary for compartmentalization?
Not for everyone. Qubes provides the strongest available software-level isolation, but it requires significant hardware resources (16 GB RAM minimum, modern CPU with VT-d) and has a steep learning curve. For most threat models, Firefox containers plus Tails for high-risk sessions provides adequate compartmentalization without Qubes' complexity.