Advanced hints for a good FDE setup:
- use a CD-R to boot (even better: a Pocket CD-R as you can carry them around more easily, but they are harder to come by nowadays)
- CD-Rs have digits and characters carved/lasered/whatevered into their inner ring close to the center which are probably unique to every disc: memorize those and always check them in case someone tries to slip you a fake CD-ROM
- under Linux, you have to boot the kernel from the CD, but that means you have to burn a new one after every kernel upgrade. to circumvent that, use the
kexec
program and work it into the boot scripts so that the boot CD boots the updated kernel from the decrypted harddrive (yes, it means you have to enter your password twice for each bootstrap -- you'll get used to it). - buy a clean, cheap keyboard and glue it shut so that no hardware keylogger or microphone can be implanted into it; switch keyboards if you have a Model M
- use a disk password with maximum entropy, i.e. if you algorithm is 256 bits wide, gen