2

I have been using full-disk encryption for some time on Linux with good success, but the additional layer of complexity that it adds is something I'd like to avoid, e.g. backup/system restore complexity, lack of TRIM support for an SSD, etc. Ideally, I'd just encrypt each directory (such as 'Documents') that contains sensitive data.

As a single-user machine, I'm not particularly worried about 'root' seeing the mounted data. I'm only worried about someone breaking in and walking off with the hardware and having access to the data.

The machine in question has 16 GB of RAM and is running a solid-state drive so I have no swap partition whatsoever. If an application has nowhere to swap, generally I shouldn't have to worry about it writing to some unprotected/unencrypted location.

My question is if I should worry about other directories where an application my decide to temporarily store files. For example, should I bother trying to encrypt the '/tmp' directory?

Improve this question

1 Answer 1

Reset to default
1

You said, "My question is if I should worry about other directories where an application my decide to temporarily store files."

The answer is that it depends on how paranoid you are. It is really not possible to answer your question very well. I guess that's why it wasn't answered previously. However, I'll attempt an answer...

Since you said that full-disk encryption is not worth the complexity to you, then I believe your needs (just encrypt files in sensitive directories) may be met with something like EncFS. See this answer:

Here's your answer: https://superuser.com/a/182221

Regarding /tmp, keep it in memory by mounting it as tmpfs, as discussed in that answer. And don't worry about anything else. If that isn't good enough for you, then go back to full-disk encryption.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .