• [ ] Volume encryption
• [ ] Screen lock
• [ ] SSH keys
• [ ] Backup encryption
• [ ] Secrets management (gnome-keyring, PAM, etc.)
• [ ] Firejail and Apparmor (esp. for Firefox)
• [ ] Not enabling Tridactyl-native

Filesystem Security

/tmp

The /tmp directory is mounted with noexec permissions by adding the following line to /etc/fstab:

# tmpfs for /tmp with noexec
tmpfs	/tmp		tmpfs		rw,nodev,nosuid,noexec,size=4G,nr_inodes=20k,mode=1700,uid=1000,gid=1001	0 0

It's possible that the size is too small, if so you can update it on the fly by remounting with a different size option (mount -o remount,rw,size=12G) or updating /etc/fstab in the future. This should prevent malicious scripts being executed from /tmp which is world-writable.

Changing permissions for sensitive files

Some files are chmodded to 700 so that only the root user can do anything:

• /boot
• /etc/iptables