If you are using a reasonable OS like Debian, which is fully encrypted with whatever defaults given on there and you encrypt your documents with a VeraCrypt container, when you open the document inside the VeraCrypt container, you will leak this file all over the system in form of various temporary files and so on. Is it possible to open it in a way that it never leaves the container?
I mean you could open it in Tails by making a copy on the home folder or something, since it’’s all in RAM, and open it there, but this is too time consuming just to check some document. Within Debian, is there a way to sandbox the contents of the container or and then access them in a way that does not leak?
I mean yes the full disk encryption is protecting an “who cares if it leaks”. But you never know. I’ve read people being forced to decrypt in an airport for instance, and governments are becoming 1984 so may want to operate in a way that in the unlikely case you are forced to decrypt the OS, you have no traces of your documents there, which would give you leverage to move these documents elsewhere and even if you were forced to decrypt the OS it wouldn’t matter. Im trying to get an idea of how to go about this. Hope it makes sense.
I think Qubes would be a better solution for what you’re asking if this is really what you want or how you want it to be.
Why do you have this peculiar requirement? I mean, what use case or purpose exists that warrants such a need is what I am wondering. I’m curious.
Its only your phone if that and very rarely are people asked. And its never your computer. But I don’t know your threat model. If thinking about this is warranted for you, I feel like you have a much higher threat model and hence would only recommend you stick with Tails if such is the case.
I ask again out of curiosity for why this is a need. I ask because perhaps another solution may be better suited for your needs and hence this question to better understand your thinking.
Well, in that case and for such threat models, ephemeral OS’s are the answer. Save everything on a cloud based drive that’s private and secure for your threat model.
I also dont know how good their implementation is. Its just that its a switch and so far it seems to work when it is off. For other DEs, I do not know how they do it.
You mentioned tails, but booting into any live-OS would work. If I remember correctly you can edit grub to add an entry for an iso image on your hard disk, so you could choose at boot to boot into the live OS. Of course you could also use a VM with a live os too, but if you’re concerned about exploits breaking the virtualization barrier, the first option might be safer. I think it might also be possible to load your Linux install into ram, but I’m not sure how difficult that is to pull off.
