NetworkManager/Privacy

From ArchWiki

This article overviews how to configure NetworkManager to enhance privacy and security.

Configuration

Encrypted network keyphrases

By default, NetworkManager stores network keyphrases without encryption in /etc/NetworkManager/system-connections/, read-only by root.

Consider setting up a keyring: GNOME/Keyring, KDE Wallet, then choose Store the password only for this user. Existing connections can be moved to the keyring from Edit > Wi-Fi Security tab, and choosing the option. This can be edited by e.g: nm-connection-editor.

On a single user machine, it is enough to set up encryption for root partition. See: Dm-crypt.

MAC Randomization

See MAC address spoofing.

Connectivity checks

You can check if NetworkManager issues automatic connectivity checks from:

$ nmcli networking connectivity check

You can add:

/etc/NetworkManager/conf.d/privacy.conf
[connectivity]
enabled=false

Hiding machine hostname

Currently, NetworkManager does not support a global option for disabling sending hostname. It has to be changed per connection.

/etc/NetworkManager/system-connections/
[ipv4]
dhcp-send-hostname=false

[ipv6]
dhcp-send-hostname=false