From edce916b134b695edb92210fa2ddc48beb2aeb8e Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Mon, 3 Jun 2019 16:29:04 +0200
Subject: Updates to storage.

---
 SETUP.md | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 USE.md   | 32 ++++++++++++++++++++++++++-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 SETUP.md

diff --git a/SETUP.md b/SETUP.md
new file mode 100644
index 0000000..01c67d5
--- /dev/null
+++ b/SETUP.md
@@ -0,0 +1,77 @@
+# Setting up a secure account
+
+Personal secrets should never leave your personal control.
+Digital secrets should be kept on a cryptographically secure storage
+and handled only with special tools
+to not leak data e.g. via temporary files or virtual memory.
+
+Avoid smart file managers.
+
+Do *not* transfer secret data as-is on insecure media like a USB stick -
+traces of the secrets can be left behind even after deletion!
+
+
+## Storage
+
+A quite strong option is to keep secrets on a smartcard
+accessed from a personal system with full disk encryption.
+
+A strong option is to keep secrets on a personal system with full disk encryption.
+
+A weaker option is to keep secrets on an encrypted disk partition
+mounted only when needed and then unmounted again.
+
+
+### Full disk encryption
+
+Setting up "Full disk encryption" is done when setting up the whole system.
+
+
+### encrypted partition
+
+You need package `cryptsetup-run`.
+Install it if not done already.
+
+Connect the device (if removable)
+and locate its device name (first column):
+
+	lsblk --paths --nodeps
+
+Make sure the device has no partitions mounted (last column):
+
+	lsblk --paths
+
+Format selected device
+(replacing PATH_TO_YOUR_DEVICE with your actual device path):
+
+	luksformat -t ext4 PATH_TO_YOUR_DEVICE
+
+Locate the UUID of the formatted device
+(replacing PATH_TO_YOUR_DEVICE with your actual device path):
+
+	lsblk --fs --nodeps PATH_TO_YOUR_DEVICE
+
+Add/extend the file `etc/crypttab` with a line about the device
+(replacing YOUR_UUID with your actual UUID):
+
+> mysecrets UUID=YOUR_UUID none luks,noauto
+
+
+## Secrets
+
+
+### PGP
+
+
+### SSH
+
+
+Monkeysphere
+
+
+## See also
+
+[Cryptsetup FAQ]
+
+[Cryptsetup FAQ]: <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>
+  "Cryptsetup Frequently Asked Questions"
diff --git a/USE.md b/USE.md
index 95ee811..76aae9c 100644
--- a/USE.md
+++ b/USE.md
@@ -3,7 +3,33 @@
 Accounts containing trust secrets need special care.
 
 
-## GnuPG
+## Storage
+
+
+### Full disk encryption
+
+
+
+### encrypted partition
+
+You need package `cryptsetup-bin`.
+Install it if not done already.
+
+Connect the device (if removable)
+and locate its device name (first column):
+
+	lsblk --paths --nodeps
+
+Mount the encrypted partition on the device:
+
+	cryptdisks_start mysecrets
+
+
+## Secrets
+
+
+### PGP
+
 
 ### Keysigning
 
@@ -12,4 +38,8 @@ Accounts containing trust secrets need special care.
 [caff]: https://wiki.debian.org/caff
   "CA - Fire and Forget"
 
+
+### SSH
+
+
 ## Monkeysphere
-- 
cgit v1.2.3