The minimalist’s home lab, private AI + backup hygiene in 90 minutes

August 24, 2025 1 week ago 4 min read
protection

I built the laziest possible home lab.

It fits in a Sunday.

It is private, boring, and hard to screw up.

Boring is the new secure. Let’s move.

What you need

One laptop or desktop, one external SSD, one strong coffee. Optional, one cheap cloud bucket.

Ten-minute prep

  • Turn on full-disk encryption.
    • macOS, FileVault in Settings, Privacy & Security.
    • Windows, Device Encryption or BitLocker.
  • Plug in your external SSD. Name it “BACKUP_1”.

If you lose the recovery key, your files become modern art, encrypted and useless.

Store the key offline.

Passwords and passkeys, 15 minutes

Pick one track.

Track A, easy cloud, Bitwarden
Install desktop and browser extension, make a long master password, enable 2-step verification, start saving new logins as passkeys when offered.

Track B, fully local, KeePassXC
Install KeePassXC, create a vault on your disk, turn on browser integration, sync the vault file later with your own tools.

Upgrade, when ready
Add a hardware security key, buy two, register both.
Passkeys reduce phishing risk and are fast, supported across major platforms.

Backups that actually restore, 35 minutes

The rule, 3-2-1, three copies of your data, two different media, one off-site. Still the standard.

Step 1, your first copy, on the external SSD
• macOS, enable Time Machine to BACKUP_1.
• Windows, turn on File History or Windows Backup to the drive.
• Linux or power users, restic or Borg in three commands.

Step 2, your second copy, a cloud bucket
Pick any reputable provider. If they offer Object Lock, turn it on for an immutable copy, ransomware can not rewrite it for the lock period.

Step 3, verify a restore
Restore one random file to your Desktop. If it opens, you earn a cookie.

Dapp AI: Copies you can not restore are just expensive art projects.

Private AI on your machine, 20 minutes

We keep it simple.

Option 1, Ollama, dead-easy CLI
Install for macOS, Windows, or Linux.
Run a small, good model, for example:
ollama run llama3.1:8b or ollama run mistral or ollama run qwen2.5:7b.

The model library and tags are here.
Llama 3.1 is Meta’s open family with 8B and 70B sizes for local use, good balance of quality and speed.

Option 2, pretty GUI, LM Studio
Download, click, choose a model, chat locally, no cloud.

Optional, nice web UI
Pair Ollama with Open WebUI if you want a ChatGPT-like interface running locally.

Local models are private by default, but your prompts are still data.

Keep them out of screenshots and cloud sync unless you mean it.

Phishing drills, 10 minutes

  • Take Google’s quick phishing quiz, teach your eyes what to ignore.
  • Check your email on Have I Been Pwned, then change reused passwords.
  • If you run a small team, simulate safely with Gophish before real attackers do.

Curiosity is how humans get pwned.

Hover before you click, always.

Tiny habits, 10 minutes

  • New account, generate, save, enable 2-step, prefer passkey.
  • Plug the external SSD weekly. Let backups run.
  • Once a month, restore one file.
  • If anything feels off, change the password, rotate tokens, and write a 3-line incident note to future-you.

Your 90-minute clock

  • Prep, 10
  • Password manager, 15
  • Backups, 35
  • Local AI, 20
  • Phishing drill, 10

That is it. No racks, no LEDs, no cables.

Wanted minimalist, got resilient.

One-screen checklist

  • Encrypt the machine.
  • Install Bitwarden or KeePassXC.
  • Turn on 3-2-1 with one immutable off-site copy.
  • Run a local model, Ollama or LM Studio.
  • Do the phishing quiz, check HIBP.
  • Test a restore monthly.

Sources

https://support.apple.com/en-us/104984
https://support.apple.com/guide/mac-help/protect-data-on-your-mac-with-filevault-mh11785/mac
https://support.microsoft.com/en-us/windows/device-encryption-in-windows-cf7e2b6f-3e70-4882-9532-18633605b7df
https://support.microsoft.com/en-us/windows/bitlocker-drive-encryption-76b92ac9-1040-48d6-9f5f-d14b3c5fa178
https://bitwarden.com/download/
https://bitwarden.com/help/getting-started-browserext/
https://support.google.com/accounts/answer/185839
https://fidoalliance.org/passkeys/
https://keepassxc.org/download/
https://keepassxc.org/docs/KeePassXC_GettingStarted
https://www.cisa.gov/sites/default/files/publications/data_backup_options.pdf
https://www.backblaze.com/blog/the-3-2-1-backup-strategy/
https://support.apple.com/en-us/102307
https://support.microsoft.com/en-us/windows/backup-and-restore-with-file-history-7bf065bf-f1ea-0a78-c1cf-7dcf51cc8bfc
https://support.microsoft.com/en-us/windows/back-up-and-restore-with-windows-backup-87a81f8a-78fa-456e-b521-ac0560e32338
https://restic.net/
https://borgbackup.readthedocs.io/en/stable/quickstart.html
https://aws.amazon.com/s3/features/object-lock/
https://www.backblaze.com/cloud-storage/solutions/object-lock
https://ollama.com/download
https://ollama.com/library
https://ai.meta.com/blog/meta-llama-3-1/
https://lmstudio.ai/
https://docs.openwebui.com/
https://phishingquiz.withgoogle.com/
https://haveibeenpwned.com/
https://getgophish.com/

NACKL News