Setting up a secure account
Personal secrets should never leave your personal control.
Digital secrets should be kept on a cryptographically secure storage
and handled only with special tools
to not leak data e.g. via temporary files or virtual memory.
Avoid smart file managers.
Do not transfer secret data as-is on insecure media like a USB stick -
traces of the secrets can be left behind even after deletion!
A quite strong option is to keep secrets on a smartcard
accessed from a personal system with full disk encryption.
A strong option is to keep secrets on a personal system with full disk encryption.
A weaker option is to keep secrets on an encrypted disk partition
mounted only when needed and then unmounted again.
Full disk encryption
Setting up "Full disk encryption" is done when setting up the whole system.
You need package
Install it if not done already.
Connect the device (if removable)
and locate its device name (first column):
lsblk --paths --nodeps
Make sure the device has no partitions mounted (last column):
Format selected device
(replacing PATH_TO_YOUR_DEVICE with your actual device path):
luksformat -t ext4 PATH_TO_YOUR_DEVICE
Add info about the encrypted device to the file
echo "mysecrets UUID=$(lsblk --noheadings -o UUID PATH_TO_YOUR_DEVICE) none luks,noauto" >> /etc/crypttab
Create mountpoint for the partition inside the encrypted device:
Add info about the partition inside the encrypted device to the file
echo "UUID=$(lsblk --noheadings -o UUID /dev/mapper/mysecrets) /mnt/mysecrets ext4 noauto" >> /etc/fstab