New Crowdin translations by GitHub Action

i18n/ar/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/ar/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/ar/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/ar/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/ar/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/ar/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/ar/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/ar/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/bn-IN/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 আপনার উজার-নেম, পাসওয়ার্ড এবং বর্তমান TOTP কোড হাতানোর জন্য, আপনাকে প্রতারণা করার চেষ্টায় একজন আক্ক্রমণকারী একটি অফিসিয়াল পরিষেবার অনুকরণ করে একটি ওয়েবসাইট সেট আপ করতে পারে। আক্রমণকারী সেই রেকর্ড করা তথ্যগুলি ব্যবহার করে প্রকৃত পরিষেবাতে লগ ইন করতে এবং অ্যাকাউন্ট হাইজ্যাক করতে সক্ষম হতে পারে।
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### হার্ডওয়্যার সিকিউরিটি কী
 

i18n/bn-IN/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/bn-IN/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/bn-IN/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/bn-IN/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/bn-IN/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/bn-IN/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/bn-IN/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/bn/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/bn/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/bn/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/bn/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/bn/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/bn/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/bn/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/bn/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/cs/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/cs/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/cs/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/cs/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/cs/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/cs/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/cs/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/cs/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/de/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/de/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/de/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Faktor-Authentifizierung"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warnung</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/de/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/de/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Suche
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/de/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/de/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warnung</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/de/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/el/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/el/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/el/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Αυθεντικοποίηση Πολλών Παραγόντων"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/el/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/el/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Σύστημα
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Αναζήτηση
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/el/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/el/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/el/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/eo/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/eo/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/eo/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/eo/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/eo/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/eo/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/eo/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/eo/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/es/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ A diferencia de [WebAuthn](#fido-fast-identity-online), TOTP no ofrece protecci
 
 Un adversario podría crear un sitio web para imitar un servicio oficial en un intento de engañarte para que des tu nombre de usuario, contraseña y código TOTP actual. Si el adversario utiliza esas credenciales registradas puede ser capaz de entrar en el servicio real y secuestrar la cuenta.
 
-Aunque no es perfecto, TOTP es lo suficientemente seguro para la mayoría de la gente, y cuando las [llaves de seguridad de hardware](../multi-factor-authentication.md#hardware-security-keys) no son compatibles las [aplicaciones de autenticación](../multi-factor-authentication.md#authenticator-apps) siguen siendo una buena opción.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Llaves de seguridad de hardware
 

i18n/es/basics/passwords-overview.md

@@ -113,7 +113,7 @@ Hay muchas buenas opciones para elegir, tanto basadas en la nube como locales. E
 <div class="admonition warning" markdown>
 <p class="admonition-title">No coloques tus contraseñas y tokens TOTP en el mismo gestor de contraseñas</p>
 
-Cuando utilices códigos TOTP como [autenticación multifactor](../multi-factor-authentication.md), la mejor práctica de seguridad es mantener tus códigos TOTP en una [app separada](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Almacenar tus tokens TOTP en el mismo lugar que tus contraseñas, aunque cómodo, reduce las cuentas a un único factor en caso de que un adversario acceda a tu gestor de contraseñas.
 

i18n/es/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Autenticadores de Múltiples Factores"
+title: "Autenticación de Múltiples Factores"
 icon: 'material/two-factor-authentication'
 description: Estas herramientas te ayudan a proteger tus cuentas de Internet con la autenticación multifactor sin enviar tus secretos a terceros.
 cover: multi-factor-authentication.webp
 ---
 
-## Llaves de Seguridad
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Las **YubiKeys** están entre las llaves de seguridad más populares. Algunos modelos de YubiKey tienen una amplia gama de características, como: autenticación [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 y WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP y HOTP](https://developers.yubico.com/OATH).
-
-Una de las ventajas de la YubiKey es que una llave puede hacer casi todo (YubiKey 5) lo que se podría esperar de una llave de seguridad. Te animamos a que hagas el [cuestionario](https://yubico.com/quiz) antes de comprar para asegurarte de que tomas la decisión correcta.
-
-[:octicons-home-16: Página Principal](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Política de Privacidad" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentación}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-La [tabla de comparación](https://yubico.com/store/compare) muestra las características y cómo se comparan las YubiKeys. Le recomendamos que seleccione las llaves de las YubiKey 5 Series.
-
-Las YubiKeys se pueden programar utilizando [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) o [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). Para gestionar los códigos TOTP, puedes utilizar [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Todos los clientes de Yubico son de código abierto.
-
-Para los modelos que soportan HOTP y TOTP, hay 2 ranuras en la interfaz OTP que pueden utilizarse para HOTP y 32 ranuras para almacenar secretos TOTP. Estos secretos se almacenan cifrados en la llave y nunca se exponen a los dispositivos a los que se conectan. Una vez que se ha proporcionado una semilla (secreto compartido) a Yubico Authenticator, éste sólo proporcionará los códigos de seis dígitos, pero nunca la semilla. Este modelo de seguridad ayuda a limitar lo que un atacante puede hacer si compromete uno de los dispositivos que ejecutan Yubico Authenticator y hace que la YubiKey sea resistente a un atacante físico.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-El firmware de YubiKey no es de código abierto y no se puede actualizar. Si desea características en versiones de firmware más nuevas, o si hay una vulnerabilidad en la versión de firmware que está utilizando, tendría que comprar una nueva llave.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** tiene una clave de seguridad capaz de [FIDO2 y WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) llamada **Nitrokey FIDO2**. Para obtener compatibilidad con PGP, deberá adquirir una de sus otras llaves, como la **Nitrokey Start**, la **Nitrokey Pro 2** o la **Nitrokey Storage 2**.
-
-[:octicons-home-16: Página Principal](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Política de Privacidad" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentación}
-
-</details>
-
-</div>
-
-La [tabla de comparación](https://nitrokey.com/#comparison) muestra las características y cómo se comparan los modelos de las Nitrokey. La **Nitrokey 3** listada tendrá un conjunto de características combinadas.
-
-Los modelos de Nitrokey se pueden configurar usando la [aplicación de Nitrokey](https://nitrokey.com/download).
-
-Para los modelos que admiten HOTP y TOTP, hay 3 ranuras para HOTP y 15 para TOTP. Algunas Nitrokeys pueden actuar como administrador de contraseñas. Pueden almacenar 16 credenciales diferentes y cifrarlas utilizando la misma contraseña que la interfaz OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-Aunque las Nitrokeys no revelan los secretos HOTP/TOTP al dispositivo al que están conectadas, el almacenamiento HOTP y TOTP **no** está cifrado y es vulnerable a ataques físicos. Si desea almacenar secretos HOTP o TOTP, le recomendamos encarecidamente que utilice una YubiKey en su lugar.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Advertencia</p>
-
-El restablecimiento de la interfaz OpenPGP en una Nitrokey también hará la base de datos de contraseñas [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-La Nitrokey Pro 2, la Nitrokey Storage 2 y la próxima Nitrokey 3 admiten la verificación de la integridad del sistema para portátiles con el firmware [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net).
-
-El firmware de Nitrokey es de código abierto, a diferencia del de YubiKey. El firmware de los modelos NitroKey modernos (excepto el de la **NitroKey Pro 2**) se puede actualizar.
-
-### Criterios
-
-**Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted.
-
-#### Requisitos Mínimos
-
-- Debe utilizar módulos de seguridad de hardware de alta calidad y resistentes a la manipulación.
-- Debe ser compatible con la última especificación FIDO2.
-- No debe permitir la extracción de claves privadas.
-- Los dispositivos que cuesten más de 35$ deben soportar el manejo de OpenPGP y S/MIME.
-
-#### Mejor Caso
-
-Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página.
-
-- Debe estar disponible en formato USB-C.
-- Debe estar disponible con NFC.
-- Debe soportar el almacenamiento de secretos TOTP.
-- Debe soportar actualizaciones seguras de firmware.
-
-## Aplicaciones de Autenticación
-
-Las Aplicaciones de Autenticación implementan un estándar de seguridad adoptado por el Grupo de Trabajo de Ingeniería de Internet (IETF) llamado **Contraseñas de un solo uso basadas en el tiempo** o **TOTP**. Se trata de un método en el que los sitios web comparten un secreto con usted que es utilizado por su aplicación de autenticación para generar un código de seis dígitos (normalmente) basado en la hora actual, que introduce al iniciar sesión para que el sitio web lo compruebe. Normalmente, estos códigos se regeneran cada 30 segundos, y una vez que se genera uno nuevo, el anterior queda inutilizado. Incluso si un pirata informático consigue un código de seis dígitos, no hay forma de que invierta ese código para obtener el secreto original ni de que pueda predecir cuáles serán los códigos futuros.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Se trata de un método en el que los sitios web comparten un secreto con usted que es utilizado por su aplicación de autenticación para generar un código de seis dígitos (normalmente) basado en la hora actual, que introduce al iniciar sesión para que el sitio web lo compruebe. Normalmente, estos códigos se regeneran cada 30 segundos, y una vez que se genera uno nuevo, el anterior queda inutilizado. Incluso si un pirata informático consigue un código de seis dígitos, no hay forma de que invierta ese código para obtener el secreto original ni de que pueda predecir cuáles serán los códigos futuros.
 
 Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en lugar de alternativas de escritorio, ya que Android e iOS tienen mejor seguridad y aislamiento de aplicaciones que la mayoría de los sistemas operativos de escritorio.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en luga
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Recomendamos encarecidamente que utilice aplicaciones TOTP para móviles en luga
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criterios
+## Criterios
 
 **Por favor, tenga en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que usted se familiarice con esta lista, antes de decidir utilizar un proyecto y realizar su propia investigación para asegurarse de que es la elección ideal para usted.
 

i18n/es/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Sistemas Operativos
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/es/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Sistema
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Perfiles de usuario
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Buscar
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/es/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/es/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: Estas herramientas te ayudan a proteger tus cuentas de Internet con la autenticación multifactor sin enviar tus secretos a terceros.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Advertencia</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criterios
+
+**Por favor, ten en cuenta que no estamos afiliados con ninguno de los proyectos que recomendamos.** Además de [nuestros criterios estándar](about/criteria.md), hemos desarrollado un conjunto claro de requisitos que nos permiten ofrecer recomendaciones objetivas. Sugerimos que te familiarices con esta lista, antes de decidir utilizar un proyecto y realizar tu propia investigación para asegurarte de que es la elección ideal para ti.
+
+### Requisitos Mínimos
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Mejor Caso
+
+Nuestro criterio del mejor caso representa lo que nos gustaría ver del proyecto perfecto en esta categoría. Es posible que nuestras recomendaciones no incluyan todas o algunas de estas funciones, pero las que sí las incluyan pueden estar mejor clasificadas que otras en esta página.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/es/tools.md

@@ -166,7 +166,7 @@ Para obtener más información sobre cada proyecto, por qué han sido elegidos y
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ Para cifrar la unidad de su sistema operativo, normalmente recomendamos utilizar
 
 ### Herramientas de Autenticación de Múltiples Factores
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ Para cifrar la unidad de su sistema operativo, normalmente recomendamos utilizar
 
 [Más información :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Más información :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Sistemas Operativos
 
 ### Móvil

i18n/fa/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/fa/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/fa/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/fa/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/fa/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### جستجو
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/fa/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/fa/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/fa/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/fr/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Contrairement à [WebAuthn](#fido-fast-identity-online), TOTP n'offre aucune pro
 
 Un adversaire pourrait créer un site web imitant un service officiel afin de vous inciter à donner votre nom d'utilisateur, votre mot de passe et votre code TOTP actuel. Si l'adversaire utilise ensuite ces informations d'identification enregistrées, il peut être en mesure de se connecter au service réel et de détourner le compte.
 
-Bien qu'imparfait, TOTP est suffisamment sûr pour la plupart des gens, et lorsque [les clés de sécurité matérielles](../multi-factor-authentication.md#hardware-security-keys) ne sont pas prises en charge [les applications d'authentification](../multi-factor-authentication.md#authenticator-apps) restent une bonne option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Clés de Sécurité Matérielles
 

i18n/fr/basics/passwords-overview.md

@@ -113,7 +113,7 @@ Il existe de nombreuses options intéressantes, qu'elles soient basées sur le c
 <div class="admonition warning" markdown>
 <p class="admonition-title">Ne placez pas vos mots de passe et vos codes TOTP dans le même gestionnaire de mots de passe</p>
 
-Lorsque vous utilisez des codes TOTP comme [authentification à multi-facteurs](../multi-factor-authentication.md), la meilleure pratique de sécurité consiste à conserver vos codes TOTP dans une [application séparée](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Le stockage de vos codes TOTP au même endroit que vos mots de passe, bien que pratique, réduit les comptes à un seul facteur dans le cas où un adversaire aurait accès à votre gestionnaire de mots de passe.
 

i18n/fr/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Authentification multi-facteurs"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Clés de sécurité matérielles
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-Les **YubiKeys** font partie des clés de sécurité les plus populaires. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-L'un des avantages de la YubiKey est qu'une seule clé peut faire presque tout (YubiKey 5) ce que vous pouvez attendre d'une clé de sécurité matérielle. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. Nous vous recommandons vivement de choisir des clés de la série YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). Tous les clients de Yubico sont open source.
-
-Pour les modèles qui supportent HOTP et TOTP, il y a 2 emplacements dans l'interface OTP qui peuvent être utilisés pour HOTP et 32 emplacements pour stocker les secrets TOTP. Ces secrets sont stockés et chiffrés sur la clé et ne sont jamais exposés aux appareils sur lesquels elle est branchée. Une fois qu'une graine (secret partagé) est donnée à l'authentificateur Yubico, celui-ci ne donnera que les codes à six chiffres, mais jamais la graine. Ce modèle de sécurité permet de limiter ce qu'un attaquant peut faire s'il compromet l'un des appareils exécutant le Yubico Authenticator et rend la YubiKey résistante à un attaquant physique.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-The firmware of YubiKey is not open source and is not updatable. Si vous souhaitez obtenir des fonctionnalités dans des versions plus récentes du firmware, ou si la version du firmware que vous utilisez présente une vulnérabilité, vous devrez acheter une nouvelle clé.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** possède une clé de sécurité qui prend en charge [FIDO2 et WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) appelée la **Nitrokey FIDO2**. Pour la prise en charge de PGP, vous devez acheter l'une de leurs autres clés comme la **Nitrokey Start**, la **Nitrokey Pro 2** ou la **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. La **Nitrokey 3** répertoriée aura un ensemble de fonctionnalités combinées.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-Pour les modèles qui supportent HOTP et TOTP, il y a 3 emplacements pour HOTP et 15 pour TOTP. Certaines Nitrokeys peuvent faire office de gestionnaire de mots de passe. Ils peuvent stocker 16 identifiants différents et les chiffrer en utilisant le même mot de passe que l'interface OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-Bien que les Nitrokeys ne divulguent pas les secrets HOTP/TOTP à l'appareil auquel ils sont connectés, le stockage HOTP et TOTP n'est **pas** chiffré et est vulnérable aux attaques physiques. Si vous cherchez à stocker des secrets HOTP ou TOTP, nous vous recommandons vivement d'utiliser plutôt un YubiKey.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Avertissement</p>
-
-La réinitialisation de l'interface OpenPGP sur une Nitrokey rendra également la base de données des mots de passe [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Le micrologiciel de la Nitrokey est open source, contrairement à la YubiKey. Le micrologiciel des modèles NitroKey modernes (à l'exception de la **NitroKey Pro 2**) peut être mis à jour.
-
-### Critères
-
-**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
-
-#### Exigences minimales
-
-- Doit utiliser des modules de sécurité matériels de haute qualité et resistant aux attaques physiques.
-- Doit prendre en charge la dernière spécification FIDO2.
-- Ne doit pas permettre l'extraction de la clé privée.
-- Les appareils qui coûtent plus de 35 $ doivent prendre en charge la gestion d'OpenPGP et de S/MIME.
-
-#### Dans le meilleur des cas
-
-Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page.
-
-- Devrait être disponible en format USB-C.
-- Devrait être disponible avec NFC.
-- Devrait prendre en charge le stockage de secrets de TOTP.
-- Devrait prendre en charge les mises à jour sécurisées du micrologiciel.
-
-## Applications d'authentification
-
-Les applications d'authentification implémentent une norme de sécurité adoptée par l'Internet Engineering Task Force (IETF) appelée **Mots de Passe à Usage Unique Basé sur le Temps**, ou **Time based One Time Password (TOTP)**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. Il s'agit d'une méthode par laquelle les sites web partagent avec vous un secret qui est utilisé par votre application d'authentification pour générer un code à six chiffres (généralement) basé sur l'heure actuelle, que vous saisissez lorsque vous vous connectez pour que le site web puisse le vérifier. En général, ces codes sont régénérés toutes les 30 secondes, et dès qu'un nouveau code est généré, l'ancien devient inutile. Même si un pirate obtient un code à six chiffres, il n'a aucun moyen d'inverser ce code pour obtenir le secret original, ni de prédire quels seront les codes futurs.
 
 Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt que des alternatives de bureau, car Android et IOS offrent une meilleure sécurité et une meilleure isolation des applications que la plupart des systèmes d'exploitation de bureau.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ Nous vous recommandons vivement d'utiliser des applications TOTP mobiles plutôt
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Critères
+## Critères
 
 **Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
 

i18n/fr/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Systèmes d'exploitation
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/fr/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### Système
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### Profils utilisateurs
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Recherche
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/fr/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/fr/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Avertissement</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Critères
+
+**Veuillez noter que nous ne sommes affiliés à aucun des projets que nous recommandons.** En plus de [nos critères de base](about/criteria.md), nous avons développé un ensemble d'exigences claires pour nous permettre de fournir des recommandations objectives. Nous vous suggérons de vous familiariser avec cette liste avant de choisir d'utiliser un projet, et de mener vos propres recherches pour vous assurer que c'est le bon choix pour vous.
+
+### Exigences minimales
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Dans le meilleur des cas
+
+Nos critères de cas idéal représentent ce que nous aimerions voir d'un projet parfait dans cette catégorie. Nos recommandations peuvent ne pas inclure tout ou partie de cette fonctionnalité, mais celles qui l'inclus peuvent être mieux classées que les autres sur cette page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/fr/tools.md

@@ -166,9 +166,9 @@ Nous [recommandons](dns.md#recommended-providers) un certain nombre de serveurs
 
 <div class="grid cards" markdown>
 
-- ![Logo d'Ente](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Logo d'Ente](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
-- ![Logo de Stingle](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Logo de Stingle](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
-- ![Logo de PhotoPrism](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
+- ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
+- ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
 </div>
 
@@ -336,12 +336,12 @@ Pour chiffrer le disque de votre système d'exploitation, nous vous recommandons
 
 ### Outils d'authentification multi-facteurs
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
-- ![Logo d'Ente Auth](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
-- ![Logo d'Aegis](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
+- ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
+- ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
 </div>
 
@@ -423,6 +423,20 @@ Pour chiffrer le disque de votre système d'exploitation, nous vous recommandons
 
 [En savoir plus :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[En savoir plus :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Systèmes d'exploitation
 
 ### Mobile

i18n/he/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ If you have a hardware security key with TOTP support (such as a YubiKey with [Y
 
 יריב יכול להקים אתר כדי לחקות שירות רשמי בניסיון להערים עליך למסור את שם המשתמש, הסיסמה וקוד ה-TOTP הנוכחי שלך. אם היריב ישתמש באותם אישורים מוקלטים, ייתכן שהוא יוכל להיכנס לשירות האמיתי ולחטוף את החשבון.
 
-למרות שאינו מושלם, TOTP מאובטח מספיק עבור רוב האנשים, ומתי ש[מפתחות אבטחה חומרה](../multi-factor-authentication.md#hardware-security-keys) אינם נתמכים [אפליקציות אימות](../multi-factor-authentication.md#authenticator-apps) עדיין אפשרות טובה.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### מפתחות אבטחת חומרה
 

i18n/he/basics/passwords-overview.md

@@ -113,7 +113,7 @@ Let's put all of this in perspective: A seven word passphrase using [EFF's large
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-בעת שימוש בקודי TOTP כ[אימות רב-גורמי](../multi-factor-authentication.md), שיטת האבטחה הטובה ביותר היא לשמור את קודי ה-TOTP שלך ב[אפליקציה נפרדת](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 אחסון אסימוני ה-TOTP שלך באותו מקום כמו הסיסמאות שלך, למרות שהוא נוח, מצמצם את החשבונות לגורם יחיד במקרה שיריב יקבל גישה למנהל הסיסמאות שלך.
 

i18n/he/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "אימות מרובה גורמים"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## מפתחות אבטחה של חומרה
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-**YubiKeys** הם בין מפתחות האבטחה הפופולריים ביותר. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-אחד היתרונות של YubiKey הוא שמפתח אחד יכול לעשות כמעט הכל (YubiKey 5), שאפשר לצפות ממפתח אבטחת חומרה. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. אנו ממליצים בחום לבחור במפתחות מסדרת YubiKey 5.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). כל הלקוחות של Yubico הם קוד פתוח.
-
-עבור דגמים התומכים ב - HOTP וב - TOTP, ישנם 2 חריצים בממשק ה - OTP שניתן להשתמש בהם עבור HOTP ו -32 חריצים לאחסון סודות TOTP. סודות אלה מאוחסנים מוצפנים על המפתח ואף פעם לא לחשוף אותם למכשירים הם מחוברים. ברגע שזרע (סוד משותף) ניתן למאמת Yubico, הוא ייתן רק את הקודים בני שש הספרות, אך לעולם לא את הזרע. מודל אבטחה זה עוזר להגביל את מה שתוקף יכול לעשות אם הוא מסכן את אחד המכשירים המריצים את המאמת של Yubico והופך את ה - YubiKey לעמיד בפני תוקף פיזי.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. אם אתה רוצה תכונות בגרסאות קושחה חדשות יותר, או אם ישנה פגיעות בגרסת הקושחה שבה אתה משתמש, תצטרך לרכוש מפתח חדש.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**ל - Nitrokey** יש מפתח אבטחה המסוגל ל- [FIDO2 ו- WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) בשם **Nitrokey FIDO2**. לתמיכה ב-PGP, עליך לרכוש אחד מהמפתחות האחרים שלהם כגון **Nitrokey Start**, **Nitrokey Pro 2** או **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. ל**Nitrokey 3** המופיע ברשימה תהיה ערכת תכונות משולבת.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-עבור הדגמים התומכים ב - HOTP וב - TOTP, ישנם 3 חריצים עבור HOTP ו -15 עבור TOTP. Nitrokeys מסוימים יכולים לשמש כמנהל סיסמאות. הם יכולים לאחסן 16 אישורים שונים ולהצפין אותם באמצעות אותה סיסמה כמו ממשק OpenPGP.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-בעוד ש-Nitrokeys אינם משחררים את סודות ה-HOTP/TOTP למכשיר שאליו הם מחוברים, אחסון ה-HOTP וה-TOTP **לא** מוצפן ופגיע להתקפות פיזיות. אם אתם מחפשים לאחסן סודות HOTP או TOTP, אנו ממליצים בחום להשתמש במפתח YubiKey.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-איפוס ממשק OpenPGP על Nitrokey גם יגרום למסד הנתונים סיסמה [inaccessible](https://docs.nitrokey.com/pro/factory-reset.html).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-הקושחה של Nitrokey היא קוד פתוח, שלא כמו YubiKey. הקושחה בדגמי NitroKey המודרניים (למעט ה**NitroKey Pro 2**) ניתנת לעדכון.
-
-### קריטריונים
-
-**שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
-
-#### דרישות מינימליות
-
-- יש להשתמש במודולי אבטחה עמידים לחומרה באיכות גבוהה.
-- חייב לתמוך במפרט FIDO2 העדכני ביותר.
-- אסור לאפשר חילוץ מפתח פרטי.
-- מכשירים שעולים מעל $35 חייבים לתמוך בטיפול ב-OpenPGP וב-S/MIME.
-
-#### המקרה הטוב ביותר
-
-הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה.
-
-- אמור להיות זמין בפורמט USB-C.
-- אמור להיות זמין עם NFC.
-- אמור לתמוך באחסון סודי ב-TOTP.
-- אמור לתמוך בעדכוני קושחה מאובטחים.
-
-## אפליקציות מאמתות
-
-יישומי אימות מיישמים תקן אבטחה שאומץ על ידי כוח המשימה להנדסת אינטרנט (IETF) הנקרא **סיסמאות חד פעמיות חד פעמיות מבוססות זמן**, או **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. זוהי שיטה שבה אתרי אינטרנט משתפים איתך סוד המשמש את אפליקציית האימות שלך כדי ליצור קוד בן שש ספרות (בדרך כלל) בהתבסס על השעה הנוכחית, שאותה אתה מזין בעת הכניסה לאתר כדי לבדוק. בדרך כלל קודים אלה מתחדשים כל 30 שניות, וברגע שנוצר קוד חדש הקוד הישן הופך לחסר תועלת. גם אם האקר מקבל קוד אחד בן שש ספרות, אין דרך להפוך את הקוד כדי לקבל את הסוד המקורי או אחרת להיות מסוגל לחזות מה כל קודים עתידיים עשויים להיות.
 
 אנו ממליצים בחום להשתמש באפליקציות TOTP למכשירים ניידים במקום בחלופות לשולחן העבודה, מכיוון שלאנדרואיד ול-iOS יש אבטחה ובידוד אפליקציות טובים יותר מרוב מערכות ההפעלה השולחניות.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports sys
 
 </div>
 
-### Aegis Authenticator (אנדרואיד)
+## Aegis Authenticator (אנדרואיד)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports sys
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### קריטריונים
+## קריטריונים
 
 **שים לב שאיננו קשורים לאף אחד מהפרויקטים שאנו ממליצים עליהם.** בנוסף ל [הקריטריונים הסטנדרטיים שלנו](about/criteria.md), פיתחנו סט ברור של דרישות כדי לאפשר לנו לספק המלצות אובייקטיביות. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
 

i18n/he/os/index.md

@@ -0,0 +1,19 @@
+---
+title: מערכות הפעלה
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/he/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### מערכת
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### פרופילי משתמשים
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### חיפוש
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/he/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/he/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## קריטריונים
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. אנו מציעים לך להכיר את הרשימה הזו לפני שתבחר להשתמש בפרויקט, ולערוך מחקר משלך כדי להבטיח שזו הבחירה הנכונה עבורך.
+
+### דרישות מינימליות
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### המקרה הטוב ביותר
+
+הקריטריונים הטובים ביותר שלנו מייצגים את מה שהיינו רוצים לראות מהפרויקט המושלם בקטגוריה זו. ייתכן שההמלצות שלנו לא יכללו חלק מהפונקציונליות הזו או את כולה, אך אלו שכן כן עשויות לדרג גבוה יותר מאחרות בדף זה.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/he/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### כלי אימות רב-גורמי
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [למד עוד :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[למד עוד :material-arrow-right-drop-circle:](security-keys.md)
+
 ## מערכות הפעלה
 
 ### נייד

i18n/hi/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/hi/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/hi/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Warning</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Criteria
-
-**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
-
-#### Minimum Requirements
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Best-Case
-
-Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Criteria
+## Criteria
 
 **Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
 

i18n/hi/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operating Systems
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)

i18n/hi/os/windows/group-policies.md

@@ -0,0 +1,134 @@
+---
+title: Group Policy Settings
+---
+
+Outside of modifying the registry itself, the **Local Group Policy Editor** is the most powerful way to change many aspects of your system without installing third-party tools. Changing these settings requires [Pro Edition](index.md#windows-editions) or better.
+
+These settings should be set on a brand new installation of Windows. Setting them on your existing installation should work, but may introduce unpredictible behavior and is done at your own risk.
+
+All of these settings have an explanation attached to them in the Group Policy editor which explains exactly what they do, usually in great detail. Please pay attention to those descriptions as you make changes, so you know exactly what we are recommending here. We've also explained some of our choices below whenever the explanation included with Windows is inadequate.
+
+## Administrative Templates
+
+You can find these settings by opening `gpedit.msc` and navigating to **Local Computer Policy** > **Computer Configuration** > **Administrative Templates** in the left sidebar. The headers on this page correspond to folders/subfolders within Administrative Templates, and the bullet points correspond to individual policies.
+
+To change any group policy, double click it and select Enabled or Disabled at the top of the window that appears depending on the recommendations below. Some group policies have additional settings that can be configured, and if that's the case the appropriate settings are noted below as well.
+
+### System
+
+#### Device Guard
+
+- Turn On Virtualization Based Security: **Enabled**
+  - Platform Security Level: **Secure Boot and DMA Protection**
+  - Secure Launch Configuration: **Enabled**
+
+#### Internet Communication Management
+
+- Turn off Windows Customer Experience Improvement Program: **Enabled**
+- Turn off Windows Error Reporting: **Enabled**
+- Turn off the Windows Messenger Customer Experience Improvement Program: **Enabled**
+
+Note that disabling the Windows Customer Experience Improvement Program also disables some other tracking features that can be individually controlled with Group Policy as well. We don't list them all here or disable them because this setting covers that.
+
+#### OS Policies
+
+- Allow Clipboard History: **Disabled**
+- Allow Clipboard synchronization across devices: **Disabled**
+- Enables Activity Feed: **Disabled**
+- Allow publishing of User Activities: **Disabled**
+- Allow upload of User Activities: **Disabled**
+
+#### User Profiles
+
+- Turn off the advertising ID: **Enabled**
+
+### Windows Components
+
+#### AutoPlay Policies
+
+AutoRun and AutoPlay are features which allow Windows to run a script or perform some other task when a device is connected, sometimes avoiding security measures that involve user consent. This could allow untrusted devices to run malicious code without your knowledge. It's a security best practice to disable these features, and simply open files on your external disks manually.
+
+- Turn off AutoPlay: **Enabled**
+- Disallow Autoplay for nonvolume devices: **Enabled**
+- Set the default behavior for AutoRun: **Enabled**
+  - Default AutoRun Behavior: **Do not execute any AutoRun commands**
+
+#### BitLocker Drive Encryption
+
+You may wish to re-encrypt your operating system drive after changing these settings.
+
+- Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7): **Enabled**
+  - Select the encryption method: **AES-256**
+
+Setting the cipher strength for the Windows 7 policy still applies that strength to newer versions of Windows.
+
+##### Operating System Drives
+
+- Require additional authentication at startup: **Enabled**
+- Allow enhanced PINs for startup: **Enabled**
+
+Despite the names of these policies, this doesn't _require_ you to do anything by default, but it will unlock the _option_ to have a more complex setup (such as requiring a PIN at startup in addition to the TPM) in the Bitlocker setup wizard.
+
+#### Cloud Content
+
+- Turn off cloud optimized content: **Enabled**
+- Turn off cloud consumer account state content: **Enabled**
+- Do not show Windows tips: **Enabled**
+- Turn off Microsoft consumer experiences: **Enabled**
+
+#### Credential User Interface
+
+- Require trusted path for credential entry: **Enabled**
+- Prevent the use of security questions for local accounts: **Enabled**
+
+#### Data Collection and Preview Builds
+
+- Allow Diagnostic Data: **Enabled**
+  - Options: **Send required diagnostic data** (Pro Edition); or
+  - Options: **Diagnostic data off** (Enterprise or Education Edition)
+- Limit Diagnostic Log Collection: **Enabled**
+- Limit Dump Collection: **Enabled**
+- Limit optional diagnostic data for Desktop Analytics: **Enabled**
+  - Options: **Disable Desktop Analytics collection**
+- Do not show feedback notifications: **Enabled**
+
+#### File Explorer
+
+- Turn off account-based insights, recent, favorite, and recommended files in File Explorer: **Enabled**
+
+#### MDM
+
+- Disable MDM Enrollment: **Enabled**
+
+#### OneDrive
+
+- Save documents to OneDrive by default: **Disabled**
+- Prevent OneDrive from generating network traffic until the user signs in to OneDrive: **Enabled**
+- Prevent the usage of OneDrive for file storage: **Enabled**
+
+This last setting disables OneDrive on your system; make sure to change it to **Disabled** if you use OneDrive.
+
+#### Push To Install
+
+- Turn off Push To Install service: **Enabled**
+
+#### Search
+
+- Allow Cortana: **Disabled**
+- Don't search the web or display web results in Search: **Enabled**
+- Set what information is shared in Search: **Enabled**
+  - Type of information: **Anonymous info**
+
+#### Sync your settings
+
+- Do not sync: **Enabled**
+
+#### Text input
+
+- Improve inking and typing recognition: **Disabled**
+
+#### Windows Error Reporting
+
+- Do not send additional data: **Enabled**
+- Consent > Configure Default consent: **Enabled**
+  - Consent level: **Always ask before sending data**

i18n/hi/os/windows/index.md

@@ -0,0 +1,62 @@
+---
+title: Windows Overview
+icon: simple/windows
+---
+
+**Microsoft Windows** is a proprietary operating system in widespread use. Recent versions of Windows, especially Windows 11, are widely considered to be the most privacy-invasive and least secure modern operating systems.
+
+If you have the choice between Windows 10 and Windows 11, we would recommend using Windows 10 for as long as possible. Windows 10 will be supported until October 2025. However, no current version of Windows respects your privacy without extensive modifications that are often undone by future updates from Microsoft. Consider [Linux](../linux-overview.md) if you'd prefer an operating system that respects your privacy and preferences.
+
+Microsoft continually adds new cloud-based features to Windows 11 which are enabled by default without user consent. Most recently (as of May 2024), they've introduced a built-in keylogger called **Recall** (part of their AI features) which records every keystroke on your device, and records your screen by screenshotting at regular intervals. This data is stored unsafely in a local database that is decrypted when your device is powered on, meaning it is an easy target for hackers. It will not redact sensitive information like copied passwords or financial information from the database, but it does protect Hollywood movie studios by not recording copyrighted content. This feature is currently only on certain newer devices, but it serves as an example of how little Microsoft cares about your security and privacy.
+
+## Guides
+
+You can enhance your privacy and security on Windows without downloading any third-party tools with these guides:
+
+- Initial Installation (coming soon)
+- [Group Policy Settings](group-policies.md)
+- Privacy Settings (coming soon)
+- Application Sandboxing (coming soon)
+- Security Hardening (coming soon)
+
+This section is a work in progress, because it takes considerably more time and effort to make a Windows installation usable compared to other operating systems. Additional guides are coming soon!
+
+## Privacy History
+
+Especially since the release of Windows 8, Microsoft has demonstrated extremely privacy-invasive behavior with their operating system releases, consistently taking advantage of the fact that Windows is the most widely-used desktop operating system. Windows 10 was widely [criticized](https://www.theguardian.com/technology/2015/jul/31/windows-10-microsoft-faces-criticism-over-privacy-default-settings) for having default settings that sent a lot of data and telemetry back to Microsoft, [including](https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Telemetry_and_data_collection) "User's contacts and calendar events, location data and history, 'telemetry' (diagnostics data) [...] and 'advertising ID', as well as further data when the Cortana assistant is enabled" (which it is by default). Windows 10 also made it much more challenging to change default applications (such as your web browser) away from Microsoft-provided apps, which is behavior that still persists today.
+
+At launch, telemetry could not be disabled in non-enterprise editions of Windows 10. It still cannot be disabled, but Microsoft added the ability to [reduce the teletetry](https://www.extremetech.com/computing/243079-upcoming-windows-update-reduces-spying-microsoft-still-mum-data-collects) sent to them.
+
+Windows 11 has introduced even more privacy-invasive behavior, including:
+
+- Being forced to use a Microsoft account instead of a local account on Home editions, and still hiding away local account options on Pro editions and higher.
+- Enabling virtually all data collection options by default.
+- Heavily integrating Microsoft services like Bing, OneDrive, and Teams in ways which are difficult to remove.
+- Adding (cloud-based) AI features to many areas in Windows and various Microsoft Apps.
+- Unnecessarily storing massive amounts of sensitive data. Even data which is stored locally and not sent to Microsoft is still a target for hackers or malware on your device.
+
+Microsoft often abuses the automatic updates feature to add new functionality to your device that collects your data and is enabled by default.
+
+Some privacy features in Windows 11 are locked to devices in the European Union. We have not yet found a way to reliably access those settings worldwide.
+
+## Windows Editions
+
+Many critical privacy and security features are unfortunately locked away behind higher-cost editions of Windows, instead of being available in Windows Home Edition. Some features missing from **Windows Home Edition** include Bitlocker Drive Encryption, Hyper-V, and Windows Sandbox. In our Windows guides we will cover how to use all of these features appropriately, so having a premium edition of Windows will be critical.
+
+**Windows Enterprise** provides the most flexibility when it comes to configuring privacy and security settings built in to Windows. For example, they are the only editions that allow you to enable the highest level of restrictions on data sent to Microsoft via telemetry tools. Unfortunately, Enterprise is not available for retail purchase, so it may not be available to you.
+
+The best version available for _retail_ purchase is **Windows Pro Edition**. This version does not allow you to set some of the most restrictive limitations on Microsoft's telemetry unfortunately, but does have nearly all of the features you'll want to use to secure your device, including Bitlocker, Hyper-V, etc.
+
+Students and teachers may be able to obtain **Windows Education** (equivalent to Enterprise) or **Windows Pro Education** (equivalent to Pro) for free (including on personal devices) from their educational institution. Many schools partner with Microsoft via OnTheHub or Microsoft Azure for Education, so you can check those sites or your school's benefits page to see if you qualify. Whether or not you are able to get these licenses depends entirely on your institution. This may be the best way for many people to obtain an Enterprise-level edition of Windows for personal use. There are no additional privacy or security risks associated with using an Education license compared to the retail versions.
+
+It is not recommended to use forks or modified versions of Windows such as Windows AME. Since modified versions of Windows like Windows AME don't receive updates, security features and antivirus definitions in Windows Defender will fall behind the current threat landscape, opening you up to attacks.
+
+## Obtaining Windows
+
+Currently, only Windows 11 license keys are available for purchase, but these keys will work on Windows 10 as well, so you can still purchase a Windows 11 Pro key to activate a Windows 10 install.
+
+The official [Media Creation tool](https://www.microsoft.com/software-download/windows10) is the best way to put a Windows installer on a USB flash drive. Third-party tools like Rufus or Etcher may unexpectedly modify the files, which could lead to boot issues or other troubles with installing.
+
+This tool only lets you install a Home or Pro edition installation, as there are no publicly available downloads for Windows Enterprise Edition. However, if you have an Enterprise Edition license key, you can easily upgrade a Pro installation. Just install Windows Pro without entering a license key during setup, then enter your Enterprise key in the Settings app after completing the install. Your Pro Edition install will upgrade to Enterprise Edition automatically after entering a valid license key.
+
+If you are installing an Education edition, typically a private download will be provided alongside your license key when you obtain it from your institution's benefits portal.

i18n/hi/security-keys.md

@@ -0,0 +1,134 @@
+---
+title: Security Keys
+icon: material/key-chain
+description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
+cover: multi-factor-authentication.webp
+---
+
+A physical **security key** adds a very strong layer of protection to your online accounts. Compared to [authenticator apps](multi-factor-authentication.md), the FIDO2 security key protocol is immune to phishing, and cannot be compromised without physical possession of the key itself. Many services support FIDO2/WebAuthn as a multi-factor authentication option for securing your account, and some services allow you to use a security key as a strong single-factor authenticator with passwordless authentication.
+
+## Yubico Security Key
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Security Key Series by Yubico](assets/img/security-keys/yubico-security-key.webp){ width="315" }
+</figure>
+
+The **Yubico Security Key** series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/security-key/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+These keys are available in both USB-C and USB-A variants, and both options support NFC for use with a mobile device as well.
+
+This key provides only basic FIDO2 functionality, but for most people that is all you will need. Some notable features the Security Key series does **not** have include:
+
+- [Yubico Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+- CCID Smart Card support (PIV-compatibile)
+- OpenPGP
+
+If you need any of those features, you should consider their higher-end [YubiKey](#yubikey) of products instead.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of Yubico's Security Keys is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## YubiKey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![YubiKeys](assets/img/security-keys/yubikey.png){ width="400" }
+</figure>
+
+The **YubiKey** series from Yubico are among the most popular security keys. The YubiKey 5 Series has a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
+
+[:octicons-home-16: Homepage](https://www.yubico.com/products/yubikey-5-overview/){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare to each other and to Yubico's [Security Key](#yubico-security-key) series. One of the benefits of the YubiKey series is that one key can do almost everything you could expect from a hardware security key. We encourage you to take their [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
+
+The Yubikey 5 series has FIDO Level 1 certification, which is the most common. However, some governments or other organizations may require a key with Level 2 certification, in which case you'll have to purchase a [Yubikey 5 **FIPS** series](https://www.yubico.com/products/yubikey-fips/) key, or a [Yubico Security Key](#yubico-security-key). Most people do not have to worry about this distinction.
+
+YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
+
+For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+The firmware of YubiKey is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
+
+</div>
+
+## Nitrokey
+
+<div class="admonition recommendation" markdown>
+
+<figure markdown="span">
+  ![Nitrokey](assets/img/security-keys/nitrokey.jpg){ width="300" }
+</figure>
+
+**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
+
+[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
+[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
+[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
+
+</details>
+
+</div>
+
+The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
+
+Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
+
+For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
+
+</div>
+
+<div class="admonition warning" markdown>
+<p class="admonition-title">Warning</p>
+
+Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
+
+</div>
+
+## Criteria
+
+**Please note we are not affiliated with any of the projects we recommend.** In addition to [our standard criteria](about/criteria.md), we have developed a clear set of requirements to allow us to provide objective recommendations. We suggest you familiarize yourself with this list before choosing to use a project, and conduct your own research to ensure it's the right choice for you.
+
+### Minimum Requirements
+
+- Must use high quality, tamper resistant hardware security modules.
+- Must support the latest FIDO2 specification.
+- Must not allow private key extraction.
+- Devices which cost over $35 must support handling OpenPGP and S/MIME.
+
+### Best-Case
+
+Our best-case criteria represents what we would like to see from the perfect project in this category. Our recommendations may not include any or all of this functionality, but those which do may rank higher than others on this page.
+
+- Should be available in USB-C form-factor.
+- Should be available with NFC.
+- Should support TOTP secret storage.
+- Should support secure firmware updates.

i18n/hi/tools.md

@@ -166,7 +166,7 @@ We [recommend](dns.md#recommended-providers) a number of encrypted DNS servers b
 
 <div class="grid cards" markdown>
 
-- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente)
+- ![Ente logo](assets/img/photo-management/ente.svg#only-light){ .twemoji loading=lazy }![Ente logo](assets/img/photo-management/ente.svg#only-dark){ .twemoji loading=lazy } [Ente Photos](photo-management.md#ente-photos)
 - ![Stingle logo](assets/img/photo-management/stingle.png#only-light){ .twemoji loading=lazy }![Stingle logo](assets/img/photo-management/stingle-dark.png#only-dark){ .twemoji loading=lazy } [Stingle](photo-management.md#stingle)
 - ![PhotoPrism logo](assets/img/photo-management/photoprism.svg){ .twemoji loading=lazy } [PhotoPrism](photo-management.md#photoprism)
 
@@ -336,10 +336,10 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 ### Multi-Factor Authentication Tools
 
+**Note:** [Hardware security keys](#security-keys) have been moved to their own category.
+
 <div class="grid cards" markdown>
 
-- ![YubiKeys](assets/img/multi-factor-authentication/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](multi-factor-authentication.md#yubikey)
-- ![Nitrokey](assets/img/multi-factor-authentication/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](multi-factor-authentication.md#nitrokey)
 - ![Ente Auth logo](assets/img/multi-factor-authentication/ente-auth.png){ .twemoji loading=lazy } [Ente Auth](multi-factor-authentication.md#ente-auth)
 - ![Aegis logo](assets/img/multi-factor-authentication/aegis.png){ .twemoji loading=lazy } [Aegis Authenticator (Android)](multi-factor-authentication.md#aegis-authenticator-android)
 
@@ -423,6 +423,20 @@ For encrypting your operating system drive, we typically recommend using whichev
 
 [Learn more :material-arrow-right-drop-circle:](real-time-communication.md)
 
+## Hardware
+
+### Security Keys
+
+<div class="grid cards" markdown>
+
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [Yubico Security Key](security-keys.md#yubico-security-key)
+- ![Yubico logo](assets/img/security-keys/mini/yubico.svg){ .twemoji loading=lazy } [YubiKey](security-keys.md#yubikey)
+- ![Nitrokey](assets/img/security-keys/mini/nitrokey.svg){ .twemoji loading=lazy } [Nitrokey](security-keys.md#nitrokey)
+
+</div>
+
+[Learn more :material-arrow-right-drop-circle:](security-keys.md)
+
 ## Operating Systems
 
 ### Mobile

i18n/hu/basics/multi-factor-authentication.md

@@ -36,7 +36,7 @@ Unlike [WebAuthn](#fido-fast-identity-online), TOTP offers no protection against
 
 An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.
 
-Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../multi-factor-authentication.md#hardware-security-keys) are not supported [authenticator apps](../multi-factor-authentication.md#authenticator-apps) are still a good option.
+Although not perfect, TOTP is secure enough for most people, and when [hardware security keys](../security-keys.md) are not supported [authenticator apps](../multi-factor-authentication.md) are still a good option.
 
 ### Hardware security keys
 

i18n/hu/basics/passwords-overview.md

@@ -113,7 +113,7 @@ There are many good options to choose from, both cloud-based and local. Choose o
 <div class="admonition warning" markdown>
 <p class="admonition-title">Don't place your passwords and TOTP tokens inside the same password manager</p>
 
-When using TOTP codes as [multi-factor authentication](../multi-factor-authentication.md), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md#authenticator-apps).
+When using [TOTP codes as multi-factor authentication](multi-factor-authentication.md#time-based-one-time-password-totp), the best security practice is to keep your TOTP codes in a [separate app](../multi-factor-authentication.md).
 
 Storing your TOTP tokens in the same place as your passwords, while convenient, reduces the accounts to a single factor in the event that an adversary gains access to your password manager.
 

i18n/hu/multi-factor-authentication.md

@@ -1,110 +1,22 @@
 ---
-title: "Multi-Factor Authenticators"
+title: "Multi-Factor Authentication - Többlépcsős Hitelesítés"
 icon: 'material/two-factor-authentication'
 description: These tools assist you with securing your internet accounts with Multi-Factor Authentication without sending your secrets to a third-party.
 cover: multi-factor-authentication.webp
 ---
 
-## Hardware Security Keys
+<div class="admonition note" markdown>
+<p class="admonition-title">Hardware Keys</p>
 
-### YubiKey
-
-<div class="admonition recommendation" markdown>
-
-![YubiKeys](assets/img/multi-factor-authentication/yubikey.png)
-
-The **YubiKeys** are among the most popular security keys. Some YubiKey models have a wide range of features such as: [Universal 2nd Factor (U2F)](https://en.wikipedia.org/wiki/Universal_2nd_Factor), [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online), [Yubico OTP](basics/multi-factor-authentication.md#yubico-otp), [Personal Identity Verification (PIV)](https://developers.yubico.com/PIV), [OpenPGP](https://developers.yubico.com/PGP), [TOTP and HOTP](https://developers.yubico.com/OATH) authentication.
-
-One of the benefits of the YubiKey is that one key can do almost everything (YubiKey 5), you could expect from a hardware security key. We do encourage you to take the [quiz](https://yubico.com/quiz) before purchasing in order to make sure you make the right choice.
-
-[:octicons-home-16: Homepage](https://yubico.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://yubico.com/support/terms-conditions/privacy-notice){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.yubico.com){ .card-link title=Documentation}
-
-</details>
+[Hardware security key recommendations](security-keys.md) have been moved to their own category.
 
 </div>
 
-The [comparison table](https://yubico.com/store/compare) shows the features and how the YubiKeys compare. We highly recommend that you select keys from the YubiKey 5 Series.
-
-YubiKeys can be programmed using the [YubiKey Manager](https://yubico.com/support/download/yubikey-manager) or [YubiKey Personalization Tools](https://yubico.com/support/download/yubikey-personalization-tools). For managing TOTP codes, you can use the [Yubico Authenticator](https://yubico.com/products/yubico-authenticator). All of Yubico's clients are open source.
-
-For models which support HOTP and TOTP, there are 2 slots in the OTP interface which could be used for HOTP and 32 slots to store TOTP secrets. These secrets are stored encrypted on the key and never expose them to the devices they are plugged into. Once a seed (shared secret) is given to the Yubico Authenticator, it will only give out the six-digit codes, but never the seed. This security model helps limit what an attacker can do if they compromise one of the devices running the Yubico Authenticator and make the YubiKey resistant to a physical attacker.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-The firmware of YubiKey is not open source and is not updatable. If you want features in newer firmware versions, or if there is a vulnerability in the firmware version you are using, you would need to purchase a new key.
-
-</div>
-
-### Nitrokey
-
-<div class="admonition recommendation" markdown>
-
-![Nitrokey](assets/img/multi-factor-authentication/nitrokey.jpg){ align=right }
-
-**Nitrokey** has a security key capable of [FIDO2 and WebAuthn](basics/multi-factor-authentication.md#fido-fast-identity-online) called the **Nitrokey FIDO2**. For PGP support, you need to purchase one of their other keys such as the **Nitrokey Start**, **Nitrokey Pro 2** or the **Nitrokey Storage 2**.
-
-[:octicons-home-16: Homepage](https://nitrokey.com){ .md-button .md-button--primary }
-[:octicons-eye-16:](https://nitrokey.com/data-privacy-policy){ .card-link title="Privacy Policy" }
-[:octicons-info-16:](https://docs.nitrokey.com){ .card-link title=Documentation}
-
-</details>
-
-</div>
-
-The [comparison table](https://nitrokey.com/#comparison) shows the features and how the Nitrokey models compare. The **Nitrokey 3** listed will have a combined feature set.
-
-Nitrokey models can be configured using the [Nitrokey app](https://nitrokey.com/download).
-
-For the models which support HOTP and TOTP, there are 3 slots for HOTP and 15 for TOTP. Some Nitrokeys can act as a password manager. They can store 16 different credentials and encrypt them using the same password as the OpenPGP interface.
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-While Nitrokeys do not release the HOTP/TOTP secrets to the device they are plugged into, the HOTP and TOTP storage is **not** encrypted and is vulnerable to physical attacks. If you are looking to store HOTP or TOTP secrets, we highly recommend that you use a YubiKey instead.
-
-</div>
-
-<div class="admonition warning" markdown>
-<p class="admonition-title">Figyelmeztetés</p>
-
-Resetting the OpenPGP interface on a Nitrokey will also make the password database [inaccessible](https://docs.nitrokey.com/pro/linux/factory-reset).
-
-</div>
-
-The Nitrokey Pro 2, Nitrokey Storage 2, and the upcoming Nitrokey 3 supports system integrity verification for laptops with the [Coreboot](https://coreboot.org) + [Heads](https://osresearch.net) firmware.
-
-Nitrokey's firmware is open source, unlike the YubiKey. The firmware on modern NitroKey models (except the **NitroKey Pro 2**) is updatable.
-
-### Követelmények
-
-**Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra.
-
-#### Alap elvárások
-
-- Must use high quality, tamper resistant hardware security modules.
-- Must support the latest FIDO2 specification.
-- Must not allow private key extraction.
-- Devices which cost over $35 must support handling OpenPGP and S/MIME.
-
-#### Legjobb esetben
-
-A legjobb esetben alkalmazott követelményeink azt fejezik ki, hogy mit szeretnénk látni egy kifogástalan projekttől ebben a kategóriában. Előfordulhat, hogy ajánlásaink nem tartalmazzák az összes ilyen funkciót, de azok, amelyek igen, magasabb helyen szerepelhetnek, mint mások ezen az oldalon.
-
-- Should be available in USB-C form-factor.
-- Should be available with NFC.
-- Should support TOTP secret storage.
-- Should support secure firmware updates.
-
-## Authenticator Apps
-
-Authenticator Apps implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
+**Multi-Factor Authentication Apps** implement a security standard adopted by the Internet Engineering Task Force (IETF) called **Time-based One-time Passwords**, or **TOTP**. This is a method where websites share a secret with you which is used by your authenticator app to generate a six (usually) digit code based on the current time, which you enter while logging in for the website to check. Typically these codes are regenerated every 30 seconds, and once a new code is generated the old one becomes useless. Even if a hacker gets one six-digit code, there is no way for them to reverse that code to get the original secret or otherwise be able to predict what any future codes might be.
 
 We highly recommend that you use mobile TOTP apps instead of desktop alternatives as Android and iOS have better security and app isolation than most desktop operating systems.
 
-### Ente Auth
+## Ente Auth
 
 <div class="admonition recommendation" markdown>
 
@@ -129,7 +41,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 
 </div>
 
-### Aegis Authenticator (Android)
+## Aegis Authenticator (Android)
 
 <div class="admonition recommendation" markdown>
 
@@ -154,7 +66,7 @@ We highly recommend that you use mobile TOTP apps instead of desktop alternative
 </div>
 
 <!-- markdownlint-disable-next-line -->
-### Követelmények
+## Követelmények
 
 **Tartsd figyelemben, hogy nem állunk kapcsolatban az általunk ajánlott projektek egyikével sem.** Az [alap kritériumaink mellett](about/criteria.md), egyértelmű követelményrendszert dolgoztunk ki, hogy objektív ajánlásokat tudjunk tenni. Javasoljuk, hogy ismerkedj meg ezzel a listával, mielőtt kiválasztanál egy projektet, és végezz saját kutatásokat, hogy megbizonyosodj arról, hogy ez a megfelelő választás számodra.
 

i18n/hu/os/index.md

@@ -0,0 +1,19 @@
+---
+title: Operációs Rendszerek
+---
+
+We publish configuration guides for the major operating systems, because you can generally improve the amount of data that is collected about you on any option, especially if you use [privacy tools](../tools.md) like our recommended web browsers in place of native tools where appropriate. However, some operating systems will be more privacy-respecting inherently, and it will be much harder to achieve an equivalent level of privacy on other choices.
+
+If you're starting from scratch, we strongly recommend [Linux](../desktop.md) on desktop and [Android](../android.md) on mobile. If you already use something else and aren't interested in switching, we hope you'll find these guides useful.
+
+## Mobile Operating Systems
+
+- [Android Overview](android-overview.md) :material-star:
+- [iOS Overview](ios-overview.md)
+
+## Desktop Operating Systems
+
+- [Linux Overview](linux-overview.md) :material-star:
+- [macOS Overview](macos-overview.md)
+- [Qubes Overview](qubes-overview.md) :material-star:
+- [Windows Overview](windows/index.md)