>planning to install -current on my Thinkpad T450s (SSD). > >I need to have several data directories encrypted, however would not mind >whole-disk encryption. Which method would be more supported / recommended? >Whole-disk encryption or creating a container file, loop device and then >virtual device with the encryption layer on it?
You would need to encrypt directories with secret data, but also make sure other places like /tmp and swap are encrypted. /tmp can be mounted in ram and swap is encrypted by default, but keep in mind that you need to know every place your files could be copied by system and program working on that file. I would use FDE. Actually I am using it and works great (BIOS-compatible UEFI's mode). Especially if you use SSD. Often you don't know how firmware inside SSD works, but we know that there commonly is large reserved space for reallocating data on most intensive used cells. You can't be sure overwriting data inside file would actually destroy data. The best software only way to destroy data is to never let SSD see plaintext data. Just encrypt, use and when you would want to sell laptop, SSD to somebody - just destroy key. https://www.backblaze.com/blog/how-to-securely-recycle-or-dispose-of-your-ssd/ Shorter link: https://tinyurl.com/zo4d7yc Modern HDDs contains microcontrollers powerful enough to run Linux: http://spritesmods.com/?art=hddhack&page=7 Shorter: https://tinyurl.com/mubtdhe