Security checklist before traveling to high-risk countries.

The airport is too late. By the time you’re at the border, every decision that matters has already been made.

This checklist exists because most people do their security setup on the flight. That’s not a security setup. That’s a feeling of security that doesn’t protect anything.

Three weeks before departure

Assess the specific threat profile of your destination. State surveillance? Criminal risk? Targeted? Opportunistic? The answer changes everything that follows.

Decide whether you’re travelling with your regular device or a travel device. If the stakes justify it, a travel device is a cheap phone reset to factory settings with no personal accounts linked. Decide now, not the night before. (See: what they can extract in 6 hours.)

If using your regular device: audit every app that has location access, microphone access, or camera access. Remove what you don’t need. Revoke permissions you don’t actively use.

Review your cloud backup settings. Decide what should not be in the cloud during this trip. Disable backup for sensitive apps. Do this before the trip, not after.

One week before departure

Enable USB Restricted Mode on your iPhone. Settings > Face ID & Passcode > Allow Access When Locked > USB Accessories: OFF.

Change your device PIN to a strong alphanumeric passphrase if you haven’t already. Six digits is not adequate for high-risk environments.

Set up a VPN and test it. Don’t install it on the flight. Test that it connects and that Stealth or obfuscation mode works from your home network before you depend on it abroad. (See: a VPN won’t save you if this already happened.)

Identify which VPN protocols work in your destination. Some countries block OpenVPN and WireGuard but not obfuscated traffic. Know this in advance.

Install Signal. Enable disappearing messages. Test with a contact you’ll be communicating with during the trip.

Set up a Proton Mail address for any communications that shouldn’t go through your primary email during the trip. Brief contacts and sources about this address change before you leave.

Photograph or note the serial numbers of your devices. If a device is tampered with at a border or seized and returned, you need to be able to verify it’s the same device.

48 hours before departure

Back up your device to an encrypted local backup. Not cloud. A physical backup you control, before you leave.

Log out of social media accounts you won’t actively need. Dormant logged-in sessions are unnecessary exposure.

Confirm your VPN is working. Actually connect to it and verify your IP address has changed through a site like ipleak.net.

Review what’s in your email inbox. Anything that would be sensitive if a border agent read it during a device inspection should not be in an unencrypted inbox.

At the border

Border agents in many countries have the legal authority to search electronic devices without a warrant. In the US, this applies to both citizens and non-citizens at ports of entry.

If asked to unlock your device, you are generally legally required to comply in most jurisdictions. Refusing may result in detention, device seizure, or denial of entry. Know the legal situation for your specific destination in advance.

If your device is taken from your physical sight for any period, assume it has been imaged or tampered with. Do not reconnect it to sensitive networks or accounts until you have reviewed it.

A device that has been out of your control is a compromised device until proven otherwise.

In-country

VPN on at all times on all networks you don’t control. This includes hotel Wi-Fi, conference Wi-Fi, and local SIM data connections in high-risk environments.

Sensitive communications on Signal with disappearing messages. Never on SMS. Never on WhatsApp without reviewing backup settings.

Location services: disable for all apps that don’t need it for their core function during the trip. Your location at any given time is metadata. Metadata is evidence.

If you believe you’re being followed or monitored: stop. Assess. Don’t make operational decisions under pressure.

Returning

If your device was in any situation where physical access was uncontrolled: do not reconnect it to your home network or sensitive accounts before reviewing it.

Change passwords for any accounts accessed during the trip from your home network, using a device that wasn’t with you.

Review your device for anything unexpected: new apps, changed settings, battery drain patterns that suggest background processes.

Security for travel isn’t what you do at the border. It’s what you build three weeks before you get there.

Affiliate disclosure: this article contains a link to Proton. Mullvad is also mentioned, no affiliate link, no commercial relationship. We recommend it anyway.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.