GPG and Tor are the bare requirements. Truecrypt FDE is also nice, but it is less important, if they can never pinpoint you they can not physically steal your non-encrypted drive. Truecrypt GPG Tor and bitcoin mixing is pretty solid (you should certainly be taking SOME measure to anonymize your bitcoins, be it mixing or obtaining them anonymously, preferably both). If you want to step your game up use isolation of some sort to make it harder for hackers to get your IP address. If you want to step it up a bit more get a security oriented OS and make sure your hardware supports all of its security functionality. If you want to take it to the extreme, use a three computer setup, one that runs Tor and connects to the internet, one that runs Firefox, and one that stores GPG private keys and carries out encryption and decryption operations and never connects to the internet or anything that ever will. Copy ciphertexts and public keys from the Firefox machine to the GPG machine via *single use and then destroy* media (such as a burned CD), and your outgoing ciphertexts and public keys from the GPG machine to the Firefox machine by hand. Configure the firefox machine to route its traffic to Tor on the Tor machine and assign it an internal IP address only. Put Tor in a virtual machine on the Tor machine behind NAT and use firewall rules on the host to block connections to any IP address other than your entry guards. Additionally isolate the virtual machine with mandatory access controls. Make sure to use a wired connection from the Firefox machine to the tor machine so if firefox is pwnt you can not be geopositioned with WPS from a wireless network adapter. Use a security oriented OS and make sure your hardware supports all of the OS features fully, for example you will need a 64 bit processor to get a security benefit from ASLR, you will need NX bit flag on the CPU etc. Make sure to harden everything blah blah. Nobody actually does all of this because even though it is secure as a motherfucker the feds are like fifty steps behind it and NSA doesn't give a fuck I also suggest using an in state fake ID to obtain a PMB that is not tied to you. Everyone who deals with significant weight does this. It might be less of a benefit and an additional charge for someone dealing with very small orders. I know for a fact it has saved the day many times before though. Not just from feds but also from scammers leaking peoples addresses publicly. If we ever have interception detection chips it will give us the opportunity to be nearly fully protected from all attacks other than downward (from vendor to customer) human intelligence, but so far not much progress has been made on getting those realized unfortunately.