Seeking an advice here.
Let’s say I have several important files on my Linux PC, like SSH keys, 2FA keys, some encryption keys.
But let’s imagine I also have Google Chrome, Skype, Wine and some AUR packages (same as PPA, for those not familiar with AUR) - and I am paranoid about malware.
How would you protect those sensitive files? Right now I have them outside home folder, owned by root, with 700 / 600 file mode. Also they are all encrypted, either by me or by software that generated them. But I am sure there are better ways to store them.
There’s no reason to store them outside of your home directory. Encrypting the drive and locking down the permissions is key and it sounds like you have that covered already.
On virtually all my external storage (as in SSD’s in USB enclosures, MicroSD cards, and USB sticks), EXT4 + LUKS encryption is my goto filesystem (which is where my backups get made of any sensitive files). LUKS transparently encrypts entire partitions. All modern linux file managers support this. The “Gnome Disks” utility can create these EXT4 + LUKS partitions graphically. (“sudo apt install gnome-disk-utility”, then look for the new app simply called “Disks”).
If I occasionally really want filesystem snapshotting, and don’t need the transparent encryption, I’ll use BTRFS instead.
I keep one and only one legacy USB stick with VFAT for that occasional time I need to give or get a file from a Windows or Mac machine. And I don’t keep anything sensitive on that stick. This is my sacrificial offering to the obstinate Operating Systems out there who can’t move beyond the 1990’s, which apparently pooh-pooh the awesome, modern filesystems such as EXT4, and BTRFS.
Thanks, made a small LUKS + EXT4 partition! I actually love GNOME Disks and use it even when I am not using the DE.
Can’t you also put Btrfs on LUKS?
I wouldn’t recommend trying it. BTRFS has many rather delicate speed optimizations so that it always performs as fast, or faster than filesystems like NTFS (at least that’s always held true in the 10ish storage media where I compared itese two for myself). BTRFS is usually a good 20-30% faster than NTFS, in my (informal) testing.
Having said this, there is planning around baking encryption right into BTRFS (different than LUKS). The BTRFS developers know ZOL (ZFS On Linux) has baked-in encryption now, and they know they need to compete here to catch up.
I have Btrfs set up over LUKS for openSUSE Tumbleweed right now. I can’t speak to the performance because I’ve actually never run it without encryption.
If that arrangement proves stable for you (even during extenuating circumstances like power cuts, sleeping, hibernating, etc), then I say well and good.
Myself, I’m a stickler for stability when it comes to filesystems, and at this time, I only feel a sense of trust around using LUKS with EXT4, which doesn’t do anywhere the additional tap-dancing which BTRFS does (checksumming, snapshotting, inbuilt RAID, etc).
PS: I’ve got a B. Sc. in Comp Sci, and 6 years professional Linux and other Unix Sysadmin experience, administering several file servers.