· Docs · Digital Sovereignty

A Pragmatic Guide to DeGoogle

How to reclaim your digital life without losing your mind — or your productivity.

The story behind this guide: you can read it on Ditching Big Tech, One Step at a Time
Contents
00

What "DeGoogling" actually means

Let's be clear about something upfront: this guide is not about Google.

Not exclusively, anyway. "DeGoogling" has become shorthand for a broader project — moving away from the surveillance economy, reclaiming ownership of your data, and reducing your dependence on centralized platforms that treat your behavior as their product. Google is the most visible example, but the same logic applies to Meta, Apple, Microsoft, and most of the dominant SaaS ecosystem.

This is also not a guide that demands a complete overhaul. There is a vocal faction in the privacy community that will tell you to run your own mail server, compile your operating system from source, and communicate exclusively through encrypted mesh networks. That approach is genuinely admirable, however that advice is mostly out of reach for people who are not tech savvy, are busy, and have finite time. If that is the standard, most people will correctly decide it is not worth it and change nothing.

The goal is pragmatism. You can meaningfully improve your privacy, reduce your exposure, and own more of your digital life without sacrificing the productivity and convenience you depend on. The transition takes time and some tolerance for rough edges — but it is achievable.
01

Why bother? Understanding the actual problem

The business model of most "free" digital services is data extraction. Your emails, search queries, calendar events, location history, and browsing patterns are harvested, aggregated, sold to data brokers, used to build behavioral profiles, and fed into advertising and influence systems. You are not the customer. You are the product.

The harm is not always obvious or immediate. But the cumulative effects are significant:

For people doing digital rights work, journalism, activism, or sensitive communications, the stakes are higher and more concrete. But even for ordinary users, the direction of travel is bad and the costs of doing nothing compound over time.
02

The pragmatic framework

Before touching a single service, accept the following:

01
You will not escape everything. Some dependencies are too deeply embedded in infrastructure to practically avoid. The goal is not purity — it is meaningful reduction in your exposure surface.This is not a failure condition. It is the correct framing.
02
You will make tradeoffs. Privacy-respecting alternatives are often less polished or require more active maintenance. Deciding which tradeoffs are acceptable depends on your threat model and how you work.
03
Start with your identity layer. Everything flows from your email address and identity. Get that right first, and the rest becomes much more tractable.
04
Move gradually. Trying to migrate everything at once is a reliable way to fail. Pick the highest-value changes and work one category at a time.
05
Do not let perfect be the enemy of good. Using Proton instead of Gmail is a genuine improvement, even if Proton is not self-hosted. Using Signal instead of WhatsApp is a genuine improvement, even if some contacts still use WhatsApp.

03

Phase 1 — Email and domain

The problem with Gmail

Your Gmail address is not just a communication channel. It is your identity across the internet. Every service you have ever registered with that address is linked to a Google-controlled namespace. Google can read your emails, cross-references them with your search history and location data, and the address itself belongs to them, not you.

The solution: own your identity at the domain level

The single most important infrastructure investment you can make is buying a personal domain. It costs roughly 10–15 EUR per year. What it buys you is portability: your email address becomes you@yourdomain.com, which you control regardless of which provider handles delivery.

The key insight: if you decide to move from Proton to Fastmail to a self-hosted server in five years, your email address stays the same. Your contacts do not change. Your identity is yours. The domain is the stable layer — not the provider.
01
Register a domain through a privacy-forward registrar with WHOIS privacy enabledNamecheap with WHOIS Privacy or Njalla are reasonable choices.
02
Sign up for Proton Mail on a paid plan — required for custom domain supportSwiss law, end-to-end encrypted, open source clients. The pragmatic choice given the alternative is running your own mail server.
03
Point your domain's MX records at Proton via the Proton admin panelTakes 10–30 minutes to propagate. Your domain email is now live.
04
Create at least two addresses: one for day-to-day use, one for sensitive/financial/professional useSeparation of concerns. A data breach at a shopping site shouldn't touch the same address as your bank.
05
Use Proton's Easy Switch tool to import historical emails from GmailFor anything sensitive, download manually via Google Takeout and archive locally.
06
Set forwarding rules in your old Gmail so important contacts route to your new address while you migrate servicesTreat the old Gmail as a legacy drain, not a primary inbox.
07
Notify contacts — a short email explaining the change is enough. Most people will update naturally once they reply.

Email aliases

Once you have a domain, use email aliases for every service registration. Tools like Proton Pass or SimpleLogin generate disposable addresses like random-alias@some-domain.com that forward to your real inbox.

Why aliases matter: you can trace exactly which service sold your address when spam arrives. You can disable a single alias without touching your primary email. And your real address is never exposed to third parties you do not fully trust.

A better approach: subdomain catch-all

Using Proton Pass aliases works, but comes with a subtle risk: those aliases live under Proton's domains (like passmail.net or passfwd.com). If you ever want to leave Proton, you would need to manually update every service you registered with those addresses. That is vendor lock-in by the back door.

A cleaner solution if you have a custom domain: create a dedicated subdomain for consumer services — for example alias.yourdomain.com — and add it as a secondary email domain in Proton. Then enable catch-all on that subdomain. Any email sent to anything@alias.yourdomain.com lands in your inbox, with no need to create addresses in advance.

01
Create a subdomain in your DNS registrar — e.g. alias.yourdomain.comA subdomain keeps it visually separate from your primary email domain.
02
Add the subdomain as a custom domain in Proton Mail and point its MX records at Proton
03
Enable catch-all for that domain in Proton Mail settingsAny address under the subdomain now routes to your inbox automatically.
04
Use servicename@alias.yourdomain.com when registering for any consumer servicee.g. amazon@alias.yourdomain.com, netflix@alias.yourdomain.com — no setup required per service.
05
Set up email filters to keep your inbox cleanRoute all catch-all mail to a label or folder so it doesn't clutter your primary inbox.
Why this is better: every alias is under your own domain. If you leave Proton, you repoint the subdomain's MX records to a new provider and every alias comes with you — no manual migration per service required.
Alternative: if you prefer not to use a subdomain, a separate second domain works just as well — point it at Proton the same way. Slightly more cost but a cleaner separation if you want to keep consumer services entirely distinct.

04

Phase 2 — Passwords and credentials

Reusing passwords is the most common vector for account compromise. A password manager generates and stores unique, complex passwords for every service. If one service is breached, no other account is at risk.

The cloud vault problem: most popular managers (1Password, LastPass) store your encrypted vault on their servers. You must trust them with the encrypted form of your most sensitive credentials. LastPass's 2022 breach demonstrated the consequences when that trust is misplaced.

A layered approach by sensitivity

Rather than choosing one tool, split credentials by sensitivity level:

Tier Tool Use for Storage
standard Proton Pass Most services, alias generation, day-to-day Proton-encrypted cloud
sensitive KeePassXC Financial, email, SSH keys, seed phrases Local encrypted file, you control sync
avoid LastPass, browser keychain Third-party cloud, opaque encryption
KeePassXC + Proton Drive: store your KeePass database file on Proton Drive. It is encrypted before it leaves your machine — Proton never holds the plaintext. On iOS, KeePassium opens the file directly from your cloud storage provider.

05

Phase 3 — Cloud storage and documents

The Google Docs problem

Google Docs and Sheets are genuinely excellent products. Moving away from them is probably the hardest practical concession in this entire guide. The collaboration features, the spreadsheet functionality, the ubiquity — nothing else matches them without friction.

Honest take: if Google Sheets is deeply embedded in your workflow, keeping a legacy Google account for that purpose while moving everything else is a defensible compromise. You are making a targeted tradeoff, not abandoning the project.

Storage alternatives

Tool Type Best for
Proton Drive Managed cloud Files, sharing, quick setup — pragmatic default
Nextcloud Self-hosted Full control — files, calendar, contacts, docs via Collabora
Immich Self-hosted Photo library — Google Photos replacement, mobile app included
Standard Notes Managed / self-hosted Encrypted notes — Google Keep replacement

Migration from Google

01
Download everything via Google Takeout — Drive, Photos, Keep, Calendar, ContactsRequest an export, wait for the email, download the archives. Do not skip this step.
02
Use the migration as an opportunity to delete — not everything needs to follow youYears of accumulated noise is a good time for a clean break.
03
Upload files to Proton Drive or Nextcloud depending on your setup
04
Import .ics calendar exports into Proton CalendarGoogle Calendar → Settings → Export. Proton Calendar → Import.
05
Import .vcf contacts export into Proton Contacts

06

Phase 4 — Browser and search

Browser

Uninstall Chrome. It is, functionally, a telemetry and advertising platform that also renders web pages.

Browser Role Notes
Firefox primary Open source, Mozilla Foundation, extensible. Pair with uBlock Origin + Multi-Account Containers.
Brave fallback Strong defaults, Chromium-based. Disable Rewards, News, Wallet. See the Firefox hardening guide for Brave cleanup steps.
Chrome / Edge / Opera avoid Operated by advertising companies or entities with opaque data practices.
Firefox Multi-Account Containers is one of the highest-value things you can do for browser privacy short of Arkenfox. It isolates workstreams — work tabs, personal browsing, social media, research — into separate cookie jars that cannot cross-track each other. A tracker embedded in a link can tie your RESEARCH identity to your PERSONAL one if you open it in the wrong container. See the Firefox hardening guide for a full 8-container setup.

Search

Option Type Privacy model
SearXNG self-hosted Queries run locally — your searches never leave your network. Runs well on a Raspberry Pi.
DuckDuckGo managed No user profiling, US-based. Policy-based, not technical — but a significant improvement over Google.
Google / Bing avoid Queries tied to identity, used to build behavioral profiles.

07

Phase 5 — VPN and network

What a VPN does and does not do

A VPN encrypts traffic between your device and the VPN server, preventing your ISP from seeing your browsing. It replaces your IP address with the VPN server's IP. What it does not do: make you anonymous, protect against tracking cookies and fingerprinting, or secure traffic between the VPN server and its destination. A VPN shifts trust from your ISP to the VPN provider.

For everyday use: ProtonVPN — open source clients, credible no-logs policy, Swiss jurisdiction. Integrates cleanly with the rest of the Proton ecosystem.

WireGuard for home network access

If you run a home server and want to access self-hosted services while traveling, a WireGuard tunnel is the right approach. WireGuard is modern, fast, and cryptographically clean.

The setup: run a small VPS at a provider like Hetzner (German provider, EU-regulated), install WireGuard on it, and configure your home network to tunnel through it. Your home services become accessible from anywhere without being exposed directly to the internet.

WG-Easy simplifies the WireGuard configuration significantly — it provides a Docker container with a web UI for managing peers. For a single-person setup, it is more than sufficient.
Hetzner as a gateway: your VPS sees your traffic metadata, but you control the software stack. That is a better tradeoff than routing everything through a commercial VPN provider whose infrastructure you cannot inspect.

Pi-hole

If you have any home server hardware, Pi-hole is one of the highest-value installations you can make. It acts as a DNS sinkhole at the network level — blocking ad and tracker domains before they ever load, for every device on your network, without configuring anything on individual devices. Running it on a Raspberry Pi is the canonical setup, but any Linux machine works.


08

Phase 6 — Messaging and social media

Messaging

App Status Notes
Signal use E2EE by default, open source, nonprofit. The standard for private messaging.
Matrix / Element explore Decentralized, federated. Self-host your own server. Good for technical contacts.
WhatsApp legacy Network gravity is real. Keep it for contacts who won't move. Do not use for sensitive communications.
Telegram avoid Not E2EE by default. Opaque governance. Not a meaningful privacy improvement over WhatsApp.
Network migration is slow by definition. Install Signal, use it with people who have it, and don't expect overnight change. The goal is to grow the Signal proportion of your contact graph over time while treating WhatsApp as a legacy fallback.

Social media

There is no privacy-respecting equivalent of Facebook, Instagram, or Twitter with comparable network effects. The mitigation options are limited:

For longer-term migration, the Fediverse — Mastodon, Pixelfed, Bookwyrm — is a federated network of open source social platforms. The model is sound: decentralized, user-controlled, no advertising. The network is growing. Worth building a presence there even if you maintain legacy accounts.


09

Phase 7 — Local AI and the home server

Why local AI matters

Cloud AI services — ChatGPT, Claude, Gemini, and most others — send your queries to third-party servers. For many tasks this is acceptable. For sensitive work, confidential documents, private research, or situations where you simply do not want your queries logged, local models are substantially better.

The current state of open-weight models (Llama 3, Mistral, Qwen, Gemma) is genuinely capable for a wide range of tasks — summarization, drafting, coding assistance, research questions, document analysis. You will not match the largest frontier models on home hardware, but for everyday work, local models are more than adequate.

Starting point: Raspberry Pi 5 (16 GB)

A Pi 5 with 16 GB RAM is a reasonable entry for lightweight local AI. It handles 7B-parameter quantized models for everyday tasks at acceptable speed. Not fast — but functional, and runs continuously on minimal power.

Software Role Notes
Ollama Model runner Handles downloads, quantization, and serving via CLI and API. Dead simple setup.
Open WebUI Chat interface Browser-based UI comparable to ChatGPT. Connects to any Ollama instance on the network.
SearXNG Local search Pair with Open WebUI for a local AI assistant with web search capability.
Pi-hole DNS sinkhole Run alongside the above. Handles all network-level ad and tracker blocking.

The next step: a dedicated home server

For more demanding workloads — larger models, image generation, document processing, running multiple services simultaneously — a dedicated machine with a GPU is the right investment. Current pragmatic options:

Apple Silicon Mac Mini (M4 Pro or higher) — excellent performance per watt, unified memory architecture handles large models efficiently, good software ecosystem. Quiet. The right choice if you want something that just works.
Mini PC with NVIDIA GPU (RTX 4060/4070 range) — more VRAM per euro, better for GPU-intensive workloads like image generation. More configuration overhead. Right choice if you want flexibility and are comfortable with Linux.

Either machine can run: Ollama with larger models (13B–34B range depending on VRAM), Nextcloud for file storage, Immich for photos, and any other self-hosted services you want. Run everything in Docker containers for portability and easier maintenance.

NAS for long-term storage

Pair a home server with a NAS running TrueNAS or OpenMediaVault for resilient, self-owned storage. A Raspberry Pi with attached USB drives running OpenMediaVault is a low-cost starting point. Purpose-built NAS hardware is more reliable for long-term use.


10

Migration sequence

A realistic sequence that prioritizes impact and manages disruption:

Week 1 — Identity foundation

Register a personal domain
Set up Proton Mail with your domain on a paid plan
Set up Proton Pass (or KeePassXC) for passwords
Begin updating email in high-priority services: banking, financial accounts, healthcare
Notify key contacts of your new email address
Set up ProtonVPN

Week 2 — Storage and browsing

Switch to Firefox as primary browser — install uBlock Origin and Multi-Account Containers
Switch default search to DuckDuckGo or self-hosted SearXNG
Download your Google Drive, Photos, and Keep data via Google Takeout
Set up Proton Drive for cloud storage, migrate important files
Install Signal and begin encouraging key contacts

Week 3 — Communications and social

Complete email migration for remaining services
Enable email aliases for all new service registrations going forward
Evaluate social media usage — consider creating Fediverse accounts

Week 4+ — Infrastructure

Set up Pi-hole on home network for DNS-level ad/tracker blocking
Install Ollama and Open WebUI for local AI on Raspberry Pi or home server
Configure WireGuard tunnel for secure remote access to home network
Plan next hardware investment based on actual bottlenecks — not anticipated ones

11

Honest caveats

This is not complete privacy. You will still use services that collect data. Your ISP still sees DNS queries if you are not running encrypted DNS. Mobile operating systems have their own telemetry. Browsers leak fingerprinting data. The goal is meaningful reduction in exposure, not elimination.
Threat models vary. The setup appropriate for a journalist working on sensitive sources is different from what a privacy-conscious professional needs. Most people do not need hardware security keys and air-gapped machines. They do need better passwords, less exposure to data brokers, and some resistance to behavioral surveillance.
Maintenance has a cost. Self-hosted services require updates, backups, and occasional troubleshooting. This is less than most people assume — especially with Docker and reasonable defaults — but it is not zero. Size your ambitions to the maintenance burden you are actually willing to carry.
Network effects are real. You cannot unilaterally move your contacts to Signal. You cannot convince everyone you know to leave WhatsApp. Work with the network you have while building the one you want.

12

Reference: key tools

Category Tool Notes
Email provider Proton Mail Swiss law, E2EE, custom domains on paid tier
Email aliases Proton Pass / SimpleLogin Isolate service registrations from primary address
Password manager Proton Pass + KeePassXC Layered approach — cloud for convenience, local for sensitive
Cloud storage Proton Drive / Nextcloud Proton for quick setup; Nextcloud for full self-hosted control
Photos Immich Self-hosted Google Photos alternative with mobile auto-upload
Notes Standard Notes / Obsidian E2EE sync vs. local-first knowledge management
Browser Firefox uBlock Origin + Multi-Account Containers — see hardening guide
Search SearXNG / DuckDuckGo SearXNG if self-hosting; DDG as managed fallback
VPN ProtonVPN / WireGuard ProtonVPN for general use; WireGuard for home network tunneling
DNS blocking Pi-hole Network-level ad/tracker blocking for all devices
Messaging Signal Default for private messaging; encourage contacts; keep WhatsApp as fallback
Local AI Ollama + Open WebUI Pi 5 for lightweight; GPU server for serious workloads
Federated social Mastodon / Pixelfed Fediverse alternatives to Twitter/Instagram
Final thought. The surveillance economy is not going to dismantle itself. The most durable thing you can do is shift your own infrastructure — slowly, pragmatically, without demanding perfection — toward systems you understand and control. Start with your email. Own your identity. Build from there.