aboutsummaryrefslogtreecommitdiff
path: root/SETUP.md
blob: 01c67d5400c9b02bf272f6f214660bc6526f4082 (plain)

Setting up a secure account

Personal secrets should never leave your personal control. Digital secrets should be kept on a cryptographically secure storage and handled only with special tools to not leak data e.g. via temporary files or virtual memory.

Avoid smart file managers.

Do not transfer secret data as-is on insecure media like a USB stick - traces of the secrets can be left behind even after deletion!

Storage

A quite strong option is to keep secrets on a smartcard accessed from a personal system with full disk encryption.

A strong option is to keep secrets on a personal system with full disk encryption.

A weaker option is to keep secrets on an encrypted disk partition mounted only when needed and then unmounted again.

Full disk encryption

Setting up "Full disk encryption" is done when setting up the whole system.

encrypted partition

You need package cryptsetup-run. Install it if not done already.

Connect the device (if removable) and locate its device name (first column):

lsblk --paths --nodeps

Make sure the device has no partitions mounted (last column):

lsblk --paths

Format selected device (replacing PATH_TO_YOUR_DEVICE with your actual device path):

luksformat -t ext4 PATH_TO_YOUR_DEVICE

Locate the UUID of the formatted device (replacing PATH_TO_YOUR_DEVICE with your actual device path):

lsblk --fs --nodeps PATH_TO_YOUR_DEVICE

Add/extend the file etc/crypttab with a line about the device (replacing YOUR_UUID with your actual UUID):

mysecrets UUID=YOUR_UUID none luks,noauto

Secrets

PGP

SSH

Monkeysphere

See also

Cryptsetup FAQ