aboutsummaryrefslogtreecommitdiff
path: root/SETUP.md
blob: 0aa343175b710bed0ebc4ab650e868b2e37db6db (plain)

Setting up a secure account

Personal secrets should never leave your personal control. Digital secrets should be kept on a cryptographically secure storage and handled only with special tools to not leak data e.g. via temporary files or virtual memory.

Avoid smart file managers.

Do not transfer secret data as-is on insecure media like a USB stick - traces of the secrets can be left behind even after deletion!

Storage

A quite strong option is to keep secrets on a smartcard accessed from a personal system with full disk encryption.

A strong option is to keep secrets on a personal system with full disk encryption.

A weaker option is to keep secrets on an encrypted disk partition mounted only when needed and then unmounted again.

Full disk encryption

Setting up "Full disk encryption" is done when setting up the whole system.

encrypted partition

You need package cryptsetup-run. Install it if not done already.

Connect the disk (if removable) and locate its name (first column):

lsblk --paths --nodeps

Make sure the disk has no partitions mounted (last column):

lsblk --paths

Format the connected but unused disk (replacing PATH_TO_YOUR_DISK with actual path):

luksformat -t ext4 PATH_TO_YOUR_DISK

Add info about the encrypted disk to the file etc/crypttab:

echo "mysecrets UUID=$(lsblk --noheadings -o UUID PATH_TO_YOUR_DISK) none luks,noauto" >> /etc/crypttab

Create mountpoint for the partition inside the encrypted disk:

mkdir /mnt/mysecrets

Add info about the partition inside the encrypted disk to the file /etc/fstab:

echo "UUID=$(lsblk --noheadings -o UUID /dev/mapper/mysecrets) /mnt/mysecrets ext4 noauto" >> /etc/fstab

Secrets

PGP

SSH

Monkeysphere

See also

Cryptsetup FAQ