Encryption

You can encrypt a full partition, or use a file container.

Then you need to take some precautions.

Ensure that your computer remains locked when unattended. Ask password for login, systematically manually lock it when you leave it, set up your screen saver to automatically lock it after a few minute of user inactivity in case you forget, and configure it to be locked when it resumes from sleeping.

If your data are very sensitive and you suspect some advanced hackers could try to gain access to it, you should only keep the volumes mounted when you need to use it, and unmount it as soon as you don't need it. To ease it you should have a separate volume for every category of sensitive data you have. It should never be mounted when the computer is unattended, idle, sleeping, or when you are traveling with it. The reason is that it is not that difficult to recover the encryption keys in the RAM if the volume is mounted, even if it is not possible to use the current session; see http://web.archive.org/web/20110429202434/http://citp.princeton.edu/pub/coldboot.pdf.

If you data are not very sensitive but you just want to prevent the average hacker thief to get your data, keep it mounted and follow the rest of the instructions.

Take care of indexing programs. Prevent them from indexing the content of your encrypted volumes, or if you need it, put the index file of each volume on the volume itself. For example for mlocate I use the following configuration for a partition mounted on /mnt/data (adapt and duplicate as needed):

/etc/updatedb.conf (as a security):

PRUNEPATHS="... /mnt/data"

updatedb.sh:

#!/bin/sh
updatedb --add-prunepaths "/mnt/data"
if [ -e /mnt/data/AppData/mlocate/mlocate.db ];  then
  updatedb --prunepaths "" --database-root /mnt/data/  --output /mnt/data/AppData/mlocate/mlocate.db ;
fi

locate.sh:

#!/bin/sh
databases="/var/lib/mlocate/mlocate.db"
if [ -e /mnt/data/AppData/mlocate/mlocate.db ];  then 
  databases="$databases:/mnt/data/AppData/mlocate/mlocate.db" ;
fi
 
locate -d "$databases" $1

.zshenv:

alias updatedb='updatedb.sh'
alias locate='locate.sh'

Sensitive/personal application data should be moved to an encrypted partition, you can use symbolic or hard links to make the redirection. This as the advantage of easier backup as well. It is also a good idea to encrypt your home directory, as it is difficult to spot all application data that contain personal data. It can be automatically mounted when you log in, with the same password.

The next step is to encrypt your whole system partition. It is necessary if your data are very sensitive and you suspect some advanced hackers could try to gain access to it, to prevent from installing spy programs on it (by booting on a live OS or extracting the hard drive).

You can add extra security at boot, depending on the amount of security you want, and the everyday burden it will bring:

• disable boot from network, usb and cdrom, and set a BIOS administrator password that will be needed to reenable it, just to force attackers to physically remove the RAM and disk if they want to attack them, and to make them waste time so that RAM information can decay a little bit if they didn't anticipate. It will also complicate their task if they want to compromise your system. All of this without asking you a password at boot every time.
• set a BIOS password that will be needed to boot the machine.
• set a hard drive password that will be needed to use the hard drive at boot (but the disks can still be extracted from it).
• always leave it unattended in sleep mode rather than shut down, so that you can detect that is has been rebooted and may be compromised (but it is more problematic for the keys in RAM).

Of course all of this requires that you have a good firewall and antivirus if you're using Windows…

And whatever technical security solutions you set up, don't forget that your keystrokes can be detected a few meters around, that a spy camera can be installed in your office, that you can be kidnapped and forced to reveal the passwords… (see plausible deniability concept).

In any case, it is a lot more important to protect the logs on your hard disk than the communications themselves.

• e-mails: see pgp and enigmail.
• instant messaging