# Setting up a secure account Personal secrets should never leave your personal control. Digital secrets should be kept on a cryptographically secure storage and handled only with special tools to not leak data e.g. via temporary files or virtual memory. Avoid smart file managers. Do *not* transfer secret data as-is on insecure media like a USB stick - traces of the secrets can be left behind even after deletion! ## Storage A quite strong option is to keep secrets on a smartcard accessed from a personal system with full disk encryption. A strong option is to keep secrets on a personal system with full disk encryption. A weaker option is to keep secrets on an encrypted disk partition mounted only when needed and then unmounted again. ### Full disk encryption Setting up "Full disk encryption" is done when setting up the whole system. ### encrypted partition You need package `cryptsetup-run`. Install it if not done already. Connect the device (if removable) and locate its device name (first column): lsblk --paths --nodeps Make sure the device has no partitions mounted (last column): lsblk --paths Format selected device (replacing PATH_TO_YOUR_DEVICE with your actual device path): luksformat -t ext4 PATH_TO_YOUR_DEVICE Locate the UUID of the formatted device (replacing PATH_TO_YOUR_DEVICE with your actual device path): lsblk --fs --nodeps PATH_TO_YOUR_DEVICE Add/extend the file `etc/crypttab` with a line about the device (replacing YOUR_UUID with your actual UUID): > mysecrets UUID=YOUR_UUID none luks,noauto ## Secrets ### PGP ### SSH Monkeysphere ## See also [Cryptsetup FAQ] [Cryptsetup FAQ]: "Cryptsetup Frequently Asked Questions"