Been mulling this over myself. Doubt anyone with a reputation would like to stake theirs to another 'solution' that may well turn out to be flawed. Plus the FDE approach seems broken in that machines have to be powered down etc.
I take the view that for my own threat model (i.e. someone nabbing my machine) DC, even TC would be perfectly adequate for that first layer of protection. Advice given by tptacek on using PGP individually for sensitive information (if I have understood correctly) could then be coupled to that FDE where required.
For my own purposes this would protect what needs protecting in terms of at-rest data. A vast improvement over the no-encryption situation.
SSDs with hardware encryption seem to be the new frontline defense for mainstream users such as myself. Same issues as with any FDE, I suppose, but coupled with filesystem PGP encryption ought to again offer adequate protection from opportunistic thieves.
I take the view that for my own threat model (i.e. someone nabbing my machine) DC, even TC would be perfectly adequate for that first layer of protection. Advice given by tptacek on using PGP individually for sensitive information (if I have understood correctly) could then be coupled to that FDE where required.
For my own purposes this would protect what needs protecting in terms of at-rest data. A vast improvement over the no-encryption situation.
SSDs with hardware encryption seem to be the new frontline defense for mainstream users such as myself. Same issues as with any FDE, I suppose, but coupled with filesystem PGP encryption ought to again offer adequate protection from opportunistic thieves.