# Setting up a secure account Personal secrets should never leave your personal control. Digital secrets should be kept on a cryptographically secure storage and handled only with special tools to not leak data e.g. via temporary files or virtual memory. Avoid smart file managers. Do *not* transfer secret data as-is on insecure media like a USB stick - traces of the secrets can be left behind even after deletion! ## Storage A quite strong option is to keep secrets on a smartcard accessed from a personal system with full disk encryption. A strong option is to keep secrets on a personal system with full disk encryption. A weaker option is to keep secrets on an encrypted disk partition mounted only when needed and then unmounted again. ### Full disk encryption Setting up "Full disk encryption" is done when setting up the whole system. ### encrypted partition You need package `cryptsetup-run`. Install it if not done already. Physically connect the disk (if removable) and locate its name on this system (first column): lsblk --paths --nodeps Make sure the disk has no partitions mounted (last column): lsblk --paths Format the connected but unused disk (replacing PATH_TO_YOUR_DISK with actual path): luksformat -t ext4 PATH_TO_YOUR_DISK Add info about the encrypted disk to the file `etc/crypttab`: echo "mysecrets UUID=$(lsblk --noheadings -o UUID PATH_TO_YOUR_DISK) none luks,noauto" >> /etc/crypttab Create mountpoint for the partition inside the encrypted disk: mkdir /mnt/mysecrets Add info about the partition inside the encrypted disk to the file `/etc/fstab`: echo "UUID=$(lsblk --noheadings -o UUID /dev/mapper/mysecrets) /mnt/mysecrets ext4 noauto" >> /etc/fstab ## Secrets ### PGP ### SSH Monkeysphere ## See also [Cryptsetup FAQ] [Cryptsetup FAQ]: "Cryptsetup Frequently Asked Questions"