Setting up a secure account
Personal secrets should never leave your personal control.
Digital secrets should be kept on a cryptographically secure storage
and handled only with special tools
to not leak data e.g. via temporary files or virtual memory.
Avoid smart file managers.
Do not transfer secret data as-is on insecure media like a USB stick -
traces of the secrets can be left behind even after deletion!
Storage
A quite strong option is to keep secrets on a smartcard
accessed from a personal system with full disk encryption.
A strong option is to keep secrets on a personal system with full disk encryption.
A weaker option is to keep secrets on an encrypted disk partition
mounted only when needed and then unmounted again.
Full disk encryption
Setting up "Full disk encryption" is done when setting up the whole system.
encrypted partition
You need package cryptsetup-run
.
Install it if not done already.
Connect the device (if removable)
and locate its device name (first column):
lsblk --paths --nodeps
Make sure the device has no partitions mounted (last column):
lsblk --paths
Format selected device
(replacing PATH_TO_YOUR_DEVICE with your actual device path):
luksformat -t ext4 PATH_TO_YOUR_DEVICE
Locate the UUID of the formatted device
(replacing PATH_TO_YOUR_DEVICE with your actual device path):
lsblk --fs --nodeps PATH_TO_YOUR_DEVICE
Add/extend the file etc/crypttab
with a line about the device
(replacing YOUR_UUID with your actual UUID):
mysecrets UUID=YOUR_UUID none luks,noauto
Secrets
PGP
SSH
Monkeysphere
See also
Cryptsetup FAQ