Security checklist before traveling to high-risk countries.

The airport is too late. By the time you’re at the border, every decision that matters has already been made.

This checklist exists because most people do their security setup on the flight. That’s not a security setup. That’s a feeling of security that doesn’t protect anything.

Three weeks before departure

Assess the specific threat profile of your destination. State surveillance? Criminal risk? Targeted? Opportunistic? The answer changes everything that follows. The exercise is documented step by step in how to build your threat model in twenty minutes. Twenty minutes spent here saves three weeks of bad decisions. For the broader operational picture, our complete guide to digital security for journalists in 2026 sits behind this checklist as the long-form reference.

Decide whether you’re travelling with your regular device or a travel device. If the stakes justify it, a travel device is a cheap phone reset to factory settings with no personal accounts linked. Decide now, not the night before.

If using your regular device: audit every app that has location access, microphone access, or camera access. Remove what you don’t need. Revoke permissions you don’t actively use.

Review your cloud backup settings. Decide what should not be in the cloud during this trip. Disable backup for sensitive apps. Do this before the trip, not after.

One week before departure

Enable USB Restricted Mode on your iPhone. Settings > Face ID & Passcode > Allow Access When Locked > USB Accessories: OFF.

Change your device PIN to a strong alphanumeric passphrase if you haven’t already. Six digits is not adequate for high-risk environments.

Set up a VPN and test it. Don’t install it on the flight. Test that it connects and that Stealth or obfuscation mode works from your home network before you depend on it abroad.. The case of a VPN that won’t save you if this already happened covers what failure mode this prevents

Identify which VPN protocols work in your destination. Some countries block OpenVPN and WireGuard but not obfuscated traffic. Know this in advance.

Install Signal. Enable disappearing messages. Test with a contact you’ll be communicating with during the trip.

Set up a Proton Mail address for any communications that shouldn’t go through your primary email during the trip. Brief contacts and sources about this address change before you leave.

Photograph or note the serial numbers of your devices. If a device is tampered with at a border or seized and returned, you need to be able to verify it’s the same device.

48 hours before departure

Back up your device to an encrypted local backup. Not cloud. A physical backup you control, before you leave.

Log out of social media accounts you won’t actively need. Dormant logged-in sessions are unnecessary exposure.

Confirm your VPN is working. Actually connect to it and verify your IP address has changed through a site like ipleak.net.

Review what’s in your email inbox. Anything that would be sensitive if a border agent read it during a device inspection should not be in an unencrypted inbox.

At the border

Border agents in many countries have the legal authority to search electronic devices without a warrant. Eleven minutes from seizure to full content access is the case that should be read before any high-risk crossing. The journalist had a password. It was not enough. In the US, this applies to both citizens and non-citizens at ports of entry.

If asked to unlock your device, you are generally legally required to comply in most jurisdictions. Refusing may result in detention, device seizure, or denial of entry. Know the legal situation for your specific destination in advance.

If your device is taken from your physical sight for any period, assume it has been imaged or tampered with. What forensic tools can extract from a seized device documents what gets pulled in those minutes out of your sight, including what you thought was deleted. Do not reconnect it to sensitive networks or accounts until you have reviewed it.

A device that has been out of your control is a compromised device until proven otherwise.

In-country

VPN on at all times on all networks you don’t control. This includes hotel Wi-Fi, conference Wi-Fi, and local SIM data connections in high-risk environments. Why hotel Wi-Fi is compromised before you check in covers what is actually running on those networks. The brand on the door does not change the architecture behind it.

Sensitive communications on Signal with disappearing messages. Never on SMS. Never on WhatsApp without reviewing backup settings.

Location services: disable for all apps that don’t need it for their core function during the trip. Your location at any given time is metadata. Metadata is evidence.

If you believe you’re being followed or monitored: stop. Assess. Don’t make operational decisions under pressure.

Returning

If your device was in any situation where physical access was uncontrolled: do not reconnect it to your home network or sensitive accounts before reviewing it.

Change passwords for any accounts accessed during the trip from your home network, using a device that wasn’t with you.

Review your device for anything unexpected: new apps, changed settings, battery drain patterns that suggest background processes.

Frequently asked questions

Should I use a personal or dedicated travel device?

A dedicated clean device is the safest approach for high-risk travel. If you use your personal device, treat it as compromised the moment you cross the border and audit it on return.

What should I do if my device is seized at the border?

Do not resist seizure. Note the time, officer details, and exactly what was taken. Assume the device is compromised and do not reconnect it to any accounts or networks without a full wipe and reinstall.

How far in advance should I start this checklist?

Three weeks minimum for high-risk destinations. Some steps, like setting up a clean device or enabling remote wipe, take time to implement and verify correctly before departure.

Should I tell anyone before I leave?

Brief one trusted contact who is not travelling with you. Share your itinerary, your check-in protocol, and a clear escalation path if check-ins stop. The contact does not need to be a security professional. They need to know what to do and who to call if you go quiet for longer than the agreed window. For sensitive trips, agree on a duress signal in advance, a phrase or topic that means the situation is not what it appears to be.

Security for travel isn’t what you do at the border. It’s what you build three weeks before you get there.

Proton Unlimited is the tool we recommend for encrypted email, VPN and secure storage. It’s what we’d use ourselves.

---

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.