In the Lab: Platform Keys, Nym VPN, Jellyfin, and More

Sometimes we go quiet for a while. We recently celebrated the United States 250th birthday, but unlike the 200th anniversary, several events were canceled at the last minute because of bad weather. At least we enjoyed time with our families. On top of that, we've been busy working on some new projects and upgrades that we hope you'll find interesting. Here are a few of them.
Mini PC Upgrade
One of our everyday workhorses is a budget Beelink SER5 Mini PC. It has performed reliably for two years, especially with Ubuntu 24.04 LTS. Still, it felt like the system was not delivering its full potential. After some testing, we quickly found the culprit: the old solid-state drive (SSD).
The AMD Ryzen 5 5560U processor barely got warm under heavy loads, and the upgraded 32GB of memory was hardly being used. The SSD, however, was struggling with read and write speeds. We found a great deal on a 1TB SSD with a built-in cache and decided it was worth the investment.
Installation was quick and simple. We also used the opportunity to switch from Ubuntu to Zorin OS 18.1 (which is built on Ubuntu). Our gaming PCs were already running it, so it made sense to standardize. At the same time, we wanted to create a guide for locking down a fresh Ubuntu installation. That's when we ran into our first problem: a bad Platform Key.
The Platform Key (PK) is the root of trust in the UEFI Secure Boot system. It acts as the master key that lets the owner control other security keys. After updating the SER5 to the latest firmware, we discovered the default AMI developer key was still set as the PK. That was a problem.
We are familiar with security keys and chains of trust, but this was a new situation for us. We soon found a helpful tool called sbctl - Secure Boot Manager that let us create a new Platform Key. This allowed us to properly enable Secure Boot, lock down the kernel, and move forward with other security improvements. We know this may sound technical to some readers, but it is an important step toward a more secure system.
We followed our usual setup: encrypting the drive with LUKS, enabling the built-in UFW firewall, running a script from privacy.sexy to block trackers, and installing ClamAV for antivirus protection. This time we also tried ClamUI as a friendlier interface for running scans and using its built-in audit tool to spot more ways to tighten security.
Jellyfin Media Server
For years we used the built-in Synology Media Server to stream movies, shows, and music from our Diskstation. It worked fine for basic needs, even though it was getting quite old. After the latest manual update on the Diskstation, the media server disappeared. Like many other network attached storage devices, Synology has shifted toward running apps in Docker containers. This opened up better options.
We decided to try Jellyfin, a popular open-source media server loved by both media enthusiasts and privacy-conscious users. Following the official Jellyfin guide, the installation was straightforward. The new server quickly indexed all of our existing media library. It has only been running for less than a day so far, but we are already impressed with the results. Jellyfin also offers many client apps, including excellent third-party options like Infuse for Apple TV. We are wondering why we didn't make the switch sooner.
Nym VPN
We have mentioned Nym VPN several times as a tool we wanted to add to our privacy setup. NymVPN is a decentralized VPN (dVPN) that launched in 2025. It brings some unique features designed to resist AI-powered surveillance and traffic analysis. Unlike Jellyfin, which showed results right away, we will need more time to test and gather real-world data on NymVPN. We will share our findings once we have a clearer picture.
Wait, There's More...
These are just some of the projects we've been working on lately. We also have several exciting new topics in the works that we can't talk about yet, plus a few others that turned out to be more challenging than expected (even for experienced users).
Just a quick reminder: we are not sponsored and we do not accept donations. Everything we share comes from our own time, money, and real-world experience. Our goal is simple: to offer honest insights that help you on your privacy journey.
Remember: We may not have anything to hide, but everything to protect.
