I still advocate for air gaps they are an insanely powerful security technique. If your plaintexts / private keys / passphrases are never exposed to the internet then you don't have very much to worry about malware. You also do not need to type over every character, you can use disposable one time use media such as a CD to copy over from the machine without internet connection to the machine with internet connection, the only copying you need to do is to bring public keys from the internet connected machine to the isolated by air machine, as if you expose it to a CD that has been exposed to the internet it could be bugged and transmit back via the CD you use to transfer ciphertexts from it. Using a live CD is not particularly helpful against malware, sure it protects from persistent malware but it doesn't do shit to stop an attacker from deanonymizing you or temporarily being able to eavesdrop on your keystrokes. A live USB could even have persistent malware installed to it. The best solution is to layer isolation I believe, I am thinking that SElinux is the way to go about this. Of course making sure that you are taking full advantage of ASLR , and hardening your OS and browser, will also go a long way towards protecting you from malware. The thing to keep in mind about virus scanners is that they are a complete joke and if any half skilled attacker wants to they can circumvent them with a targeted payload that is not released into the wild. Making a virus that is not detected by any anti-virus software is a fairly trivial task, and you can easily confirm when your virus has reached such a state by running anti virus products against it until it becomes undetectable. Ninety nine out of a hundred times an anti virus program is not going to be able to detect a targeted payload that has not been released into the wild for the anti virus people to be able to get a copy of it. Also the first thing a good virus does is disable your anti viruses ability to detect it, so even if the anti virus company does end up protecting from a virus, it isn't likely to do you much good if you have already been infected. Anonymity doesn't protect you from malware (generally speaking, although in some cases it can make life harder for an attacker), and malware can deanonymize you. I imagine you have heard of CIPAV?? You can use the best encryption algorithms in the world and the best anonymity network around and it is all going to do jack shit to protect your plaintexts or identity if an attacker roots you. Having strong data and location security without strong defenses from malware is similar to having a fortified door with an open window next to it. This is 110% wrong. In fact, they can find where a machine lives by compromising it. An attacker who manages to root SR and finds a multi-platform exploit for firefox could theoretically take over the computers of everyone using firefox to surf SR, by for example adding malicious javascript to it that exploits a vulnerability in firefox to take over its permissions, which (in most configurations) includes the ability to stop routing through Tor and deanonymize you, and very likely to spy on your plaintexts prior to encrypting them with GPG (through lack of isolation in X for example). In practice it might be more difficult for them to simultaneously pwn every single person here, because some might be using different browsers, some may have javascript turned off, some may be protected by default OS features like ASLR, etc...but it is entirely possible in theory for such an attack to be carried out. So far such things seem like they are far more common for intelligence agencies to do than police forces though.